Description

Shubham Kumar

Jan 6·4 min read

Another Easy VM from HackTheBox as they say. I suffered a bit while solving this and rated it a bit hard, but learned something new. All thanks to egre55 && mrb3n. As usual, add academy.htb in your /etc/hosts file and you are good to go.

Knowledge Gained

1. Enumeration
2. Analysis of Header using Burp
3. Gaining Foothold using Metasploit
4. Privilege Escalation through composer

Port Scanning

Running a Nmap scan to know about open ports for enumeration.

Web Reconnaissance

So Let’s first enumerate port 80. I decided to start a gobuster scan and got something useful.

So lot’s of .php pages. Let’s first get registered on the platform. After getting registered we are redirected to a login.php. Enter the credentials and we logged-in successfully. Nothing interesting in the platform.

Then I decided to intercept the data when we register on the platform and encountered something new “roleid =0”.

This time I changed the value to “1” and forwarded the data, but again I am redirected to login.php.

Now I repeated the same process but instead of going to the login.php, I went to admin.php, and boom we got some foothold.

Add this [subdomin].academy.htb to /etc/hosts file and access it in browser.

Looking around the page I got some useful information such as APP_NAME=Laravel and APP_KEY=………………

Searching the internet I came across Laravel Exploit which is vulnerable to RCE. Open the bad boy Metasploit and search the Laravel exploit. Set the options.

and run the exploit and boom we got the low-level privilege.

Horizontal Privilege Escalation

Listing the home directory we can see lots of users. I wasted time a lot then realized the image having mentioned user cry0I1t3. So first, we have to escalate our privilege horizontally to user cry..t3. Exhausting my brain a lot I then searched for Laravel important files. Opening the file gives me the password of the user cry0I1t3.

Now switch to the user cry0I1t3 and check if he has any sudo privilege or not.

Since this user is not in the sudoers list I decided to find files related to the user mrb3n.

Note:- Login into user cry0I1t3 through SSH for a better experience.

After searching the files I decided to see “groups” info for this user and I found this user is in the “adm” group. Move to /var/log/audit and search for the mrb3n credentials. (Hint- use grep)

Now switch to the user mrb3n…

…and check what sudo privilege he/she has.

Vertical Privilege Escalation

So, this user can run the “composer” command. Visit GTFobins for privilege escalation.

Boom we are in r🤠🥳t.

NOTE:- So, after getting the root HASH I went through all the write-ups which are encrypted, and learned something new.

Generate a pair of SSH key using ssh-keygen. Now copy the public key(id_rsa.pub) and paste-like this 👇 (x → SSH)

Now run the composer and it will add the key to /root/.ssh/authorized_keys.

Now change the permission of public-key(id_rsa) to 600 and use the following 👇 to get root access. Access all the flags.

For more walkthroughs stay tuned…

Before you go

Visit my Funbox series walkthrough’s:-