Hackthebox : Academy Writeup
Machine name: Academy
Machine IP: 10.10.10.215
Operating System: Linux
Difficulty: Easy
Hello Guys This is the my first write-up of a series on Hack The Box systems penetration tests. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.
Academy is the linux machine released in november 2020 and no retired yet . The box IP address is 10.10.10.215 and the announced difficulty is easy.
Enumeration Phase
First of all I started enumerating web services and ports using nmap
After initiating nmap scan i found that port 80 & port 22(ssh) are open. after some surfing we can see that there is two options available for login & Register so lets enumerate registeration page functionality
Run dirsearch against target to enumerate webserver path and files
Then while registering in box i captured request using burpsuite and found that there is additional roleid parameter pass through http request so after further recon i found that roleid parameter is used to decide user account privilllege so if we change roleid parameter to 0 > 1. we can able to get administration privillege
After successfully login into admin. i can see that there is url mentioned in admin login page which is dev-staging-01.academy.htb. so lets Add the IP address hostname in /etc/hosts file on your local machine for accessing link.
there is larvel log file disclosed which is disclosing sensitive informations like Internal paths, server informations, enviorment veriables, mysql credentials etc.so lets move forward to next step
Exploitation phase
Exploiting Laravel Framework Unserialize Token RCE (CVE-2018–15133) using metasploit to gain reverse shell by leaked APP_KEY variable token
User Privillege esacalation
After retrieving the low privileged shell, I used the user credentials found through larvel .env variable and using it to escalate to a cry0l1t3 account and get user flag in cry0l1t3 account.
Auditing SElinux logs files in /var/log/audit to get mrb3n user crdential details in hexadecimal format.
Upon getting the credentials of mrb3n, I immediately tried logging in via mrb3n
Privesc mrb3n -> Root
After getting mrb3n user access, i ran sudo -l for check what commands allows to be execute as mrb3n and found that user mrb3n is able to run composer as root
Thanks For reading my writeup