Here is the first scan. Looks like there is SSH and a web server that hosts http://academy.htb/
However, if you try to visit the page you will see that it will not pull up for you:
A while ago I did a box where I added an IP address to my /etc/host directory in order to access it as if I was authorized to be there. I have not published it because the box is still active, but this reminded me of that same situation.
Add the IP and host name like below, and then press Ctrl + X to close and save.
Now, go back and reload that webpage and you should have access:
After this I registered for an account so I could explore:
I did briefly look at the source code for the registration page before I logged in, and found this, which was interesting.
I notated that and logged into my new academy account for now.
Seems pretty busy, but most of the links don’t even work. I pulled up gobuster to scan for different directories. This took awhile, but eventually I got this list here:
Luckily, most of them were found within the first few minutes of the scan, so I made my way to the admin login page and tried a few random combos of common usernames and passwords, but none of them worked.
I am thinking this has something to do with that “roleid” parameter that was shown on the registration page. I decided to register again and intercept the registration in Burp Suite.
Here are the results:
So what if I just do some experimentation with changing the roleid? I went ahead and forwarded requests for users roomba1 and roomba2, with corresponding role ids.
To do this, just manually change the request and then hit the forward button one by one to register the two users.
Then, I headed to the admin page to try both the logins.
roomba1 pulled up this page:
roomba2 did not work. So perhaps roleid=2 does not exist.
No matter, roomba1 has already infiltrated the admin portal. It looks like it’s a to-do list for various admin tasks. There are two users shown here, cry0l1t3 and mrb3n.
It also mentions there is an issue that needs to be fixed, at dev-staging-01.academy.htb.
If you try to navigate there you will again have the same issue as earlier, but you can just implement the same fix and add this to your hosts directory.
Exit and save with Ctrl + X again and then reload the page.
This portal is displaying a bunch of errors the developers need to deal with. Most have to do with an application called Laravel:
You’ll also notice some more seemingly valuable info, like another username and password. And the admins saying they are going to “ignore the errors”.
Not smart.
Searching for Laravel exploits will bring up quite a few. The first one being 2018–15133 2017–16894, which allows for Remote Command Execution:
I opened up Metasploit and found that exploit:
Notice it has a spot for the app key, which I saw earlier, here:
After that I set the other options I needed:
And then, EXPLOIT:
Use this to spawn a more reasonable shell, and then start looking around:
Eventually you’ll find one of the admins has the user.txt file, but you don’t have the correct permissions to read it.
I tried logging in as cry0l1t3 using some of the passwords I found earlier, but I was not successful.
At /var/www/html/academy there is a .env file you can look through. Here, I found another password to try.
From here, you can change users and open the user.txt file:
After that I started attempting the root flag. I checked to see what permissions cry0l1t3 had, which was not helpful:
Perhaps the other admin, mrb3n, will be of more use? I do not have his password though.
This got me looking around in cry0l1t3’s stuff. At /var/log/audit, I found a bunch of audit logs:
THIS article here was extremely helpful in showing me what to look for, because the logs are way too long to go through manually.
Basically, I found a log that showed when mrb3n’s account logged in. The data portion is his encoded password.
This is just simple hex:
You can now log in as mrb3n:
mrb3n has more to work with:
I checked this out on GTFO bins:
After following these steps, I was met with a few errors concerning PHP libraries, which actually confused me for awhile because I thought the code didn’t work because of it.
Turns out I had actually succeeded though! You can just ignore the PHP stuff and use cat /root/root.txt from here collect your root flag!
Happy Hacking! ❤
