Hack the Box: Academy

Academy was an easy machine on Hack the Box.

Academy

I’ll exploit a simple pivilege escalation in registration form gain access to administrator panel. Admin panel will reveal a virtual subdomain where I’ll exploit a RCE in Laravel framework. Using that access I’ll find a database password that’s been reused by cry0l1t3 user. Browsing through system logs will reveal password to another user: mrb3n. Mrb3n can sudo Composer which I’ll exploit to gain root shell.

User

Nmap scan:

Main webpage is pretty empty:

There’s also a login page:

The login page allows test:test credentials but it leads to an entirely static, fake page:

There’s also admin.php page, where simple credentials guessing schieves nothing:

Regular login page has also register form:

Register request has additional, hidden parameter roledid. Changing it to 1 creates an admin account:

After logging in through admin form, a virtual domain is revealed:

Opening the virtual domain reveals a glaring Laravel debug page:

Returning debug pages is usually bad enough but Laravel makes it even worse by revealing enviroment variables. They include various secrets, including the APP_KEY which is used to sign Laravel tokens. Knowledge of this variable allows forging and manipulation of Laravell session and CSRF tokens. To make matters even more interesting, there’s a known RCE in Laravel with number CVE-2018–15133. It’a a vulnerability that allows code execution by manipulating CSRF tokens. There’s a ready made exploit on Github. After downloading it I can run it for a fake shell:

Unsurprisingly, there are two webroots in /var/www/html:

There’s a standard Laravel .env file in the academy webroot.

It can contain another set of useful secrets used by Laravel, including database password:

There are a couple of users in the system:

After a quick trial and error it turns out, that database password also belongs to cry0l1t3 user, who also own a user flag:

Root

The cry0l1t3 user is a member of adm group, which gives me read privleges to system logs. Linpeas finds an interesting failed login attemp that reveals mrb3n’s password:

[+] Checking for TTY (sudo/su) passwords in audit logs
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>                                                                                                                                                                                         
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
/var/log/audit/audit.log.3:type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A

The password can be used to traverse to mrb3n:

This user can run composer as sudo

Composer allows running arbitratry scripts so it can be exploited for privilege escalataion. It can be done quickly by simulating a simple composer repo in temporary folder, and then running the script through sudoed composer. With root privleges flag can be read: