Academy HTB Writeup
Academy 🎓
First scan of nmap we have 2 ports open.
Visiting the website we are redirected to a domain name: academy.htb
I add this to my /etc/hosts file and then visit again. I have a front page with no function at all. But I have 2 options to goto, one is login and the one is register. Upon visiting I have a form in which I can create a user. I try admin:admin and I am being redirected to a page which greats me with Welcome and then redirects me to the login page. I login and get to the front page.
{home.php photo page}
I can see that I am not loggedin as the username I entered the credentials for. I goto register again and add another user but again I am logged in as egre55.
I add a ffuf scan to find potential directories and files. The website has no working functionality at all.
I found found a file admin.php. I am provided a login form again. Trying the same credentials I tried on login.php I cannot login. After looking about potential ways to bypass admin.php or trying to find the credentials by using ffuf. I opened burp and intercepted every request made to login,register,admin and other parts of the website.
On register page I there are 4 parameters the {uid,password,confirm,roleid=0}. The roleid was by default set to 0, when I see a parameter as 0 I think of this as false or as lower privilages in this case. Every time we created a user we sent this parameter as 0, lets try to create a user and set it as 1, and then try to login to admin.php.
So this is a planner they have for the academy.htb page which isn’t yet functionaly. Everything is set as done except one which is pending. I add that subdomain on my /etc/hosts file again and visit the website.
We have a lot of errors. One of the errors is about laravel logs. Laravel is a php framework. At my right I also have some enviroment information and details. I also have mysql username and password. I try to login with those to ssh but nothing. mysql port is closed so I didn’t try them with mysql. I am left with nothing but to search about laravel vulnerabilities. I didn’t manage to find the exact version of it so I tried every exploit I could find of.
This repo https://github.com/kozmic/laravel-poc-CVE-2018-15133 had one exploit that worked. To make this work we need the app_key which we got from the website error. If we didn’t have we couldn’t use it.
Following the repo instructions we have to:
- Install phpgcc (sudo apt install phpgcc)
** Generate an unserialized payloadphpgcc Laravel/RCE1 system 'id'
- Encrypt the payload with the app_key using ./cve-2018-15133.php dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9
- Send the previous string as a X-XSRF-TOKEN header
I created a simple script to do this for me so I can execute commands faster.
automatecve2018-15133.py:
I use the script and execute a reverse shell on my machine. I am logged in as www-data. I try to look into config files located at /var/www/ to find any potential passwords to databases. On laravel web applications these information are stored inside .env file. Beside the .env file I saw for the dev staging subdomain I find another inside the academy folder. This time I have a password mySup3rP4s5w0rd!!
. Mysql is opened but I cannot login with these credentials. I cat the /etc/passwd
file and find the users on the machine and try the password against each user.
cry0l1t3 is the user which reused the password and got pwned :D. Now I run lineum script but didn’t manage to find anything useful. After more than half an hour of trying to find something juicy I find out that I belong to adm group. As per https://wiki.debian.org/SystemGroups adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log
. I go and search on /var/log folder for passwords or anything similar which can give me more info to go near root user :D. After some help from my friend suljot, I found out commands are logged inside audit folder and are encoded as hex. Each command has type=TTY
, so I can all the files and grep that.
cat /var/log/audit/* | grep 'type=TTY' > /tmp/a
cat /tmp/a | awk -F'data=' '{print $2}' | xxd -r -p > tty
less tty
The password works with user mrb3n. This user can run composer as root. I go and find a way on gtfobins and get root.