This is a walkthrough of the machine called “Academy” at HackTheBox:
https://app.hackthebox.com/machines/Academy

In this walkthrough, we cover 2 possible privesc paths on the machine through GTFObins and PwnKit.

Enumeration

I first run rustscan to see what are the open ports on this machine:

rustscan -a 10.129.234.151 --ulimit 5000 --range 1-65535 -- -sVC -Pn

There is one odd one at 33060. It just seems to by a MySQL server.

I run nuclei as well.

nuclei -u http://academy.htb

If I navigate straight to the IP, I get redirected to academy.htb

I add it to my /etc/hosts file and navigate directly to the URL:

It is just a page with an image:

Next I run gobuster to enumerate for any possible routes.

gobuster dir -k -u http://academy.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -x txt,php,html -t 40

I get a few hits:

There is a register.php page that seems interesting.

I register for an account and check burp suite to see the request:

It seems to just be the HTB Academy page or a replica of it:

There was roleid param when we first registered, so I go back to re-register as a different account and login again:

When I login, there is no change, it’s still the same academy page. But I remember when we first ran gobuster, there was also an admin page potentially at admin-page.php

I simply navigate there as the hacker2 user that I changed the role in the register page and I see what seems to be a planner.

There is another subdomain, and I add it to the /etc/hosts file:

When we navigate there, we can see some logs, and we see an app name of “Laravel” along with an APP_KEY.

Initial Foothold

If we run searchsploit, we can see a metasploit module available for this target as a potential foothold:

In msfconsole, we use the module exploit/unix/http/laravel_token_unserialize_exec and get our first foothold.

Privesc 1 – GTFOBins

We do a python shell upgrade first to get a proper shell:

Next we do a file transfer using python -m http.server 80

Then we download linpeas and enable it with chmod:

Next I run linpeas to get suggestion on privesc methods:

Linpeas finds a password in an .env file:

Checking the output again, we can see a few users and can spray the password using hydra to see if we get access via ssh:

After creating the user and password list, I run the following command with hydra to pop an account via ssh:

hydra -L users.txt -P passwords.txt 10.129.234.151 ssh

I ssh into the box and get access to the cry0l1t3 account:

I run linpeas again and find potential creds for the mrb3n user:

I test out the creds and I’m able to access the mrb3n account:

I ran linpeas again as mrb3n but I didn’t get anywhere with the output. So I run sudo -l to see if there is a command we can escape from using gtfobins. I check and we see there is one for the composer command.

If we go to gtfobins, we can there is an escape using sudo:

I paste this command into the terminal and I am successfully able to become root:

TF=$(mktemp -d)
echo ‘{“scripts”:{“x”:”/bin/sh -i 0<&3 1>&3 2>&3″}}’ >$TF/composer.json
sudo composer –working-dir=$TF run-script x

Privesc 2 – PwnKit

When we first ran linpeas as the www-data user, I saw that this machine is potentially vulnerable to PwnKit.

I go back to being the www-data user. And upload PwnKit to the /tmp folder.

I simply transfer over PwnKit, run it and become root:

End of walkthrough.

– Z333RO