Port Scanning and general enumeration (Nmap, FFuF)
Webserver and something to do with mysql on that high port. Let’s enumerate the webserver
Browsing using the url, gives us an error pointing to
academy.htb. Adding the url and
academy.htb to our hosts file fixes the error.
We have the ability to LOGIN and REGISTER. After registering and logging in we’re greeted with a
home.php page that is seemingly the HTB Academy, but nothing works! Well, we know that the site is built on
php so let’s toss a
FFuF at it fuzzing for
Requires credentials that we don’t have.
Access (BurpSuite, metasploit)
Let’s go back and take a closer look at the registration process by capturing the request in
roleid? Let’s change that to
1 and send it off. What happens if we try to use this new account with the
1 to log into the admin section?
We’re in! Let’s add
dev-staging-01.academy.htb to our hosts and navigate to it.
Error page, but lots of information here. Looks like
database usernames and passwords. App name is
Laravel and even the app key! I couldn’t find a version number for
Laravel, but let’s see if
metasploit has anything for us
Lookg good. Outside of the ordinary options it requires the
APP_KEY (that base64 string we found earlier) and the
VHOST which in our case is
Let’s fire it off and get our shell.
Privesc (linPEAS, Composer)
Doing some manual enumeration on the box there are a couple things to note. First, there are six users with an interactivce shell.
.env file for
htb-academy-dev-01, it had much of the same information from the error page we found earlier. But since it’s basically a staging branch of the site, what if the original
academy site has an
.env file too?
I wonder if any of those six users is the database dev? Maybe they reuse passwords?
Trying that password with each user until I found that the password works for the
So now we’re
cry0l1t3, what can we do?
Turns out, not a lot. Let’s run
linPEAS and see if there are any privesc vectors we can use
Oh? Some horizontal movement? Well,
mrb3n, what can you do?
Hey, this user can actually sudo. Checking
GTFOBins we find
Follow the instructions and claim your prize!