Open in app

Sign in

Write

Sign in

Hackthebox Academy

Ayan Khan
6 min readFeb 14, 2021

Hackthebox Academy [HTB]

Machine Name : Academy

Machine IP : 10.10.10.215

Points : 20

Operating System : Linux

Difficulty : Easy

Hey Guys ,Here is my First HACKTHEBOX System penetration tests.If you don’t already know, Hack The Box is a website where you can practice your cybersecurity or penetration knowledge by hacking into a range of different machine Legally.

Academy is the Linux machine released in November 2020 with IP address 10.10.10.215 and the announced difficulty Level is easy for 20 Points

1. Connect to VPN :

Before Moving to any Machine in HACKTHEBOX ,First step is to connect your PC to their networks using VPN.

STEP :

  1. Click on Top right at offline status.
  2. Download VPN.
  3. Open terminal .
  4. Use Command “sudo openvpn filename” .
  5. If the connection is occurs then offline status become online.
Connecting vpn
Connecting vpn

2.Enumeration Phase :

In Enumeration Phase ,we will scan the IP address using NMAP.Nmap is a network scanning tool that uses IP packets to identify all the devices connected to a network and to provide information on the services and operating systems they are running.

Command : sudo nmap -sV -A IP-address.

Nmap scan Result

After scanning the IP address , I found that port 80 and port 22 is open & The domain name of IP address is “academy.htb”.

As we see that port 80 is open that mean some website is hosted on that machine.

Home Page

Let Register to new user.

NOTE :

If you will get and 4001 error on http request of web browser then add domain name on your local host using

>> nano /etc/hosts

Dirsearch against IP-address:
dirsearch is a enumeration tools which used to find path and files present in a server.

While dirsearch the ip we see that there is admin.php file present on server. But when we try to login in admin.php it will not work.

Now when we register using register.php and intercept this request using burp we found a roleid parameter which is default 0 But can edit the roleid from user to admin (0 to 1) .

After successfully login into admin. i can see that there is url mentioned in admin login page which is dev-staging-01.academy.htb. and also there is two name cry0l1t3 and mrb3n. so lets Add the IP address hostname in /etc/hosts file on your local machine for accessing link.

when we get http request to dev-staging-01.academy.htb ,we can see that is is made up of laravel.

This laravel log file disclosed, which can disclose sensitive informations like Internal paths, enviornment variables, mysql credentials,server informations, etc.we also see that it is built with laravel and an APP_KEY , which we can use to exploit the server using an exploit in metasploit for this application, so lets move forward to next step.

3.Exploitation phase:

when we observe Environment & details we will find leaked APP_KEY,using this key we can exploit Laravel Framework Unserialize Token RCE(CVE-2018–15133) vulnerability using metasploit framework.

After exploiting ,we get reverse connection from laravel server.

we got the shell as web admin.Now when we travel to home directory ,there is some user folder .

After observing the folder we get to know that when we login in admin.php ,it show two user name i.e cry0lt3 and mrb3n.

When we move to user/folder cry0l1t3 ,we found user.txt ,but to open this file we want higher privilege.

4.User privilege escalation:

After retrieving the low privileged shell, I used the user credentials found through laravel .env variable and using it to escalate to a cry0l1t3 account and get user flag in cry0l1t3 account.But .env is hidden file so we have to used

> ls -la

credential >>

Using this credential we can get high privilege and due to having higher privilege we can open user.txt which contain first Flag.

Submit this flag to HACKTHEBOX.

As we know that port 22 ssh is also open ,and we have user cry0l1t3 credential .

we can used this information for login as ssh user.

After enumerating some directories using linpeas we can see audit files in /var/log/audit directory where the past commands and data of the users is saved as log.

>>cat * | grep ‘comm=”su” ‘

This command will grep the data in audit file which is in encrypted form.

To decrypt this data we use online decoder.

Now we get a credential of “mrb3n” so using ssh we will login as mrb3n,

>su mrb3n

>sudo -l //it will match default entities on academy.

After sudo -l we can run composer command.

There is technique available which gives us edit the /tmp/tmp/composer.json file , so what we can do is we can copy our ssh key into the composer.json file in order to login as root !!!

we will execute the first line of binary on the target machine

> TF=$(mktemp -d)

It will create composer.json file write the following script , what it does is paste our public key in directory /root/.ssh/authorized_keys so that later we can connect with our private key

> echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json

once the script is saved we can execute the third line of binary

> sudo composer --working-dir=$TF run-script x

By moving to root directory you will find root.txt.

Hackthebox Academy [HTB]

THANK YOU FOR READING MY WRITE-UP.

BEST OF LUCK.

Hackthebox
Hackthebox Writeup
Academy
Hacking
Hackinglearning

--

--

Ayan Khan

Written by Ayan Khan

0 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams