I am in the midst of my pursuit for the Offensive Security Certified Professional (OSCP) certification in May. Part of my preparation is to take on machines available on Hack The Box (HTB) platform. HTB is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.

Another box, let’s get right into it!

Prerequisites

I added the machine’s IP to make my /etc/hosts file for easier access to the target machine:

echo "10.10.10.215 academy.htb" >> /etc/hosts

Reconnaissance

My first step would be to run a Nmap scan:

nmap -Pn -sC -sV -A -p- -oN initial 10.10.10.215

These were the results:

Scanning and Enumeration

Seeing port 80 was open, I visited it and was greeted with this page:

There were two pages: Log in and Register. I created a new account and logged in with it. After spending a lot of time poking around the website, I still could not find any clues to my next step.

Exploitation

Therefore, I decided to fire up BurpSuite and repeat the process of creating a new account:

I was analysing the parameters and noticed ‘roleid’:

This made me think that I can create an admin account, and there was an admin panel that could be accessed. I decided to change ‘0’ to ‘1’ in an attempt to create an admin account:

Next, I visited the academy.htb/admin.php and I was greeted with a login page:

I used the credentials I created while intercepting the requests, and managed to access the admin panel!

There were more clues here:

  1. Two users: cry0l1t3 and mrb3n
  2. A website: dev-staging-01.academy.htb

I added the domain to the /etc/hosts file for easier access:

echo "10.10.10.215 dev-staging-01.academy.htb" >> /etc/hosts

I visited that site, and was greeted with this:

Scanning the website, I found many juicy details I believed would help me in my next stage.

I researched Laravel and found an article that stated that it is vulnerable to Unserialize Remote Command Execution.

Gaining Access

I fired up Metasploit and used exploit/unix/http/laravel_token_unserialize_exec with the following options (which I had found in my previous stages) and finally gained access!

This was a dumb shell, and I could not do much with it. Therefore, I used Python3 to upgrade my shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Straight away, I tried to access the MySql server with the credentials I found in my previous stage. But I had no luck:

I started looking around the machine and finally found another pair of credentials:

I tried to log in to MySQL again but failed. Then, I remembered that port 22 was open (Found in my Nmap scan). So, I used the password found with the two users (Found in exploitation stage), and managed to gain access with the user ‘cry0l1t3’ and obtain the user flag:

Finally!

I noticed that the group this user was allocated to was ‘adm’. I searched it up and found that it means members of adm are allowed to view some logfiles. I took this as a clue to my next step and looked for log files that possibly exposed the root user’s hash. I found the directory (/var/log/audit) which contained the logs. With the help of grep, I managed to find the hex of the hash of the root user.

I then used python to decrypt the hash:

It seemed like another password! Thus, I attempted to SSH into the other account I found earlier: mrb3n, and it worked:

I wanted to find out the permissions I had for this user, so I used sudo -l and found that I could run composer scripts!

I hunted online for how to exploit this and found the very handy, GTFOBins, which stated exactly how I could escalate privileges:

I ran the commands and managed to gain access as root and find the root hash!

Academy may have been categorised as an easy box, but I spent 3 hours trying to complete it. The feeling of accomplishment makes the 3 hours spent a fruitful one.