# Academy! ## @Author : M3tr1c_r00t  Academy is an easy box which we exploit by using an exposed token from a laravel php server and abusing the adm linux user priviledges to be able to pave our way into root! ### Enumeration ... _**Nmap...**_ ``` # Nmap 7.92 scan initiated Fri Nov 25 19:10:27 2022 as: nmap -sC -sV -A -p 22,80,33060 -oN nmapports.txt 10.129.250.108 Nmap scan report for academy.htb (10.129.250.108) Host is up (0.22s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA) | 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA) |_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Hack The Box Academy |_http-server-header: Apache/2.4.41 (Ubuntu) 33060/tcp open mysqlx? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port33060-TCP:V=7.92%I=7%D=11/25%Time=63811331%P=x86_64-pc-linux-gnu%r( SF:GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.0 - 5.4 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 (94%), Linux 5.0 - 5.3 (94%), Linux 5.4 (94%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 230.96 ms 10.10.14.1 2 230.91 ms academy.htb (10.129.250.108) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Nov 25 19:13:42 2022 -- 1 IP address (1 host up) scanned in 195.67 seconds ``` Visiting the site, we add, academy.htb to our /etc/hosts file and then check out the site.... <br>We and we find a static site...  After registering, we are redicrected to the home page but its a static site... <br>_**Next , directory bruteforcing...**_ <br>In this instance, i used the raft-small-files-lowercase.txt wordlist from seclists... ``` /index.php  (Status: 200) [Size: 2117] /login.php  (Status: 200) [Size: 2627] /register.php  (Status: 200) [Size: 3003] /admin.php  (Status: 200) [Size: 2633] /config.php  (Status: 200) [Size: 0] /home.php  (Status: 302) [Size: 55034] [--> login.php] /.htaccess.php  (Status: 403) [Size: 276] /.htaccess  (Status: 403) [Size: 276] /.  (Status: 200) [Size: 2117] /.html  (Status: 403) [Size: 276] /.html.php  (Status: 403) [Size: 276] /.php  (Status: 403) [Size: 276] /.htpasswd  (Status: 403) [Size: 276] /.htpasswd.php  (Status: 403) [Size: 276] /.htm.php  (Status: 403) [Size: 276] /.htm  (Status: 403) [Size: 276] /.htpasswds.php  (Status: 403) [Size: 276] /.htpasswds  (Status: 403) [Size: 276] /.htgroup  (Status: 403) [Size: 276] /.htgroup.php  (Status: 403) [Size: 276] /wp-forum.phps  (Status: 403) [Size: 276] /.htaccess.bak  (Status: 403) [Size: 276] /.htaccess.bak.php  (Status: 403) [Size: 276] /.htuser.php  (Status: 403) [Size: 276] /.htuser  (Status: 403) [Size: 276] ``` And something interesting is that there is an admin page... <br>we can forge the admin status by trying to create a username similar to admin or even add some characters such as the space character which registering.... <br>This is because the request is being url encoded when sent.... <br>Another key thing to note while sending the request, there's a hidden parameter,roleid which is set to 0, if we change it to 1, we get user priviledges regardless of the username used.....  After that we can log in with new creds....  And we have found a new sub-domain; add it to your /etc/hosts file and taking a look at ....  By just having a look at the sub-domain, we can see there's a token and also discover that the running framework is laravel for php.....  After doing a searchsploit, we recognize there's an exploit we can use .... <br>Fire up msfconsole and set up the settings...  After setting up the options and running the exploit, we finally get access  We have the www-data shell...  After a bit of poking around in the system, i found a .env file which had some creds....  We can go and check out which users are present in the system by grepping for bash in /etc/passwd  As there are quite a number of users, we can try password spraying the users to see if we can gain access... <br>So after saving the usernames in a file, and the found password in a file, we can use hydra to password spray...  And with that, we can get our user flag...  After running linpeas in the remote machine, i note something wierd, there we audit logs present .....  After seeing that i wanted to confirm some of my suspicions and wanted to see my user's id ....  And they are true.... <br>We are (adm) group ... <br>The adm group is usually used to monitor system tasks and can read system log files...  And with that piece of information at hand, we can now check the reports on the user.... ``` aureport --tty ```  And we can see the creds of the mrb3n user.... <br>Using them and we log in....  We can check the user permissions and we find the user can run the composer binary as root....  After heading on to gtfobins, we find there is an exploit for the binary....  And with that, we are root, you can head to the root directory and get the root flag....  Done! ### Socials @Instagram:https://instagram.com/M3tr1c_r00t <br>@Twitter:https://twitter.com/M3tr1c_root