Hackthebox : Academy Writeup

Machine name: Academy

Machine IP: 10.10.10.215

Operating System: Linux

Difficulty: Easy

Hello Guys This is the my first write-up of a series on Hack The Box systems penetration tests. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.

Academy is the linux machine released in november 2020 and no retired yet . The box IP address is 10.10.10.215 and the announced difficulty is easy.

Enumeration Phase

First of all I started enumerating web services and ports using nmap

After initiating nmap scan i found that port 80 & port 22(ssh) are open. after some surfing we can see that there is two options available for login & Register so lets enumerate registeration page functionality

Run dirsearch against target to enumerate webserver path and files

Then while registering in box i captured request using burpsuite and found that there is additional roleid parameter pass through http request so after further recon i found that roleid parameter is used to decide user account privilllege so if we change roleid parameter to 0 > 1. we can able to get administration privillege

After successfully login into admin. i can see that there is url mentioned in admin login page which is dev-staging-01.academy.htb. so lets Add the IP address hostname in /etc/hosts file on your local machine for accessing link.

there is larvel log file disclosed which is disclosing sensitive informations like Internal paths, server informations, enviorment veriables, mysql credentials etc.so lets move forward to next step

Exploitation phase

Exploiting Laravel Framework Unserialize Token RCE (CVE-2018–15133) using metasploit to gain reverse shell by leaked APP_KEY variable token

User Privillege esacalation

After retrieving the low privileged shell, I used the user credentials found through larvel .env variable and using it to escalate to a cry0l1t3 account and get user flag in cry0l1t3 account.

Auditing SElinux logs files in /var/log/audit to get mrb3n user crdential details in hexadecimal format.

Upon getting the credentials of mrb3n, I immediately tried logging in via mrb3n

Privesc mrb3n -> Root

After getting mrb3n user access, i ran sudo -l for check what commands allows to be execute as mrb3n and found that user mrb3n is able to run composer as root

Thanks For reading my writeup