Your cart is currently empty!
This is a walkthrough of the machine called “Academy” at HackTheBox:
https://app.hackthebox.com/machines/Academy
In this walkthrough, we cover 2 possible privesc paths on the machine through GTFObins and PwnKit.
I first run rustscan to see what are the open ports on this machine:
rustscan -a 10.129.234.151 --ulimit 5000 --range 1-65535 -- -sVC -Pn
There is one odd one at 33060. It just seems to by a MySQL server.
I run nuclei as well.
nuclei -u http://academy.htb
If I navigate straight to the IP, I get redirected to academy.htb
I add it to my /etc/hosts file and navigate directly to the URL:
It is just a page with an image:
Next I run gobuster to enumerate for any possible routes.
gobuster dir -k -u http://academy.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -x txt,php,html -t 40
I get a few hits:
There is a register.php page that seems interesting.
I register for an account and check burp suite to see the request:
It seems to just be the HTB Academy page or a replica of it:
There was roleid param when we first registered, so I go back to re-register as a different account and login again:
When I login, there is no change, it’s still the same academy page. But I remember when we first ran gobuster, there was also an admin page potentially at admin-page.php
I simply navigate there as the hacker2 user that I changed the role in the register page and I see what seems to be a planner.
There is another subdomain, and I add it to the /etc/hosts file:
When we navigate there, we can see some logs, and we see an app name of “Laravel” along with an APP_KEY.
If we run searchsploit, we can see a metasploit module available for this target as a potential foothold:
In msfconsole, we use the module exploit/unix/http/laravel_token_unserialize_exec
and get our first foothold.
We do a python shell upgrade first to get a proper shell:
Next we do a file transfer using python -m http.server 80
Then we download linpeas and enable it with chmod:
Next I run linpeas to get suggestion on privesc methods:
Linpeas finds a password in an .env file:
Checking the output again, we can see a few users and can spray the password using hydra to see if we get access via ssh:
After creating the user and password list, I run the following command with hydra to pop an account via ssh:
hydra -L users.txt -P passwords.txt 10.129.234.151 ssh
I ssh into the box and get access to the cry0l1t3 account:
I run linpeas again and find potential creds for the mrb3n user:
I test out the creds and I’m able to access the mrb3n account:
I ran linpeas again as mrb3n but I didn’t get anywhere with the output. So I run sudo -l to see if there is a command we can escape from using gtfobins. I check and we see there is one for the composer command.
If we go to gtfobins, we can there is an escape using sudo:
I paste this command into the terminal and I am successfully able to become root:
TF=$(mktemp -d)
echo ‘{“scripts”:{“x”:”/bin/sh -i 0<&3 1>&3 2>&3″}}’ >$TF/composer.json
sudo composer –working-dir=$TF run-script x
When we first ran linpeas as the www-data user, I saw that this machine is potentially vulnerable to PwnKit.
I go back to being the www-data user. And upload PwnKit to the /tmp folder.
I simply transfer over PwnKit, run it and become root:
End of walkthrough.
– Z333RO
More Posts