HackTheBox Writeup — Academy

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is

Running NMAP full port scan on it , we get

We have 3 Open Ports , Port 22 , Port 80 and Port 33060 for SSH , Web and MYSQLx respectively

Looking on the Web part of the NMAP scan, we see it is leading to a redirection towards http://academy.htb domain, so I add it to our hosts file and moving towards the Web

Checking the web, we have a webpage where we can see the option for Login and Register

Registering a user and then login

We get a wonderful webpage which is a clone of the HackTheBox’s new initiative Academy

Nothing much in this webpage, so lets check the Gobuster result

We found a admin.php page which redirects us to a login page for admins

Moving towards the register.php where we registered a new user before and intercepting the request in Burp Suite

We see that the parameter uid is for username , password for password and there is an additional parameter roleid which is by default set to 0 , maybe its for the account privileges on which if we change it to 1 might give us admin privileges

Sending the request and trying to login on the admin.php page redirects us to admin-page.php where we have a page with planner which has some to-do tasks and one of them is still on pending

We see one of the task is to fix the issue on the dev-staging-01.academy.htb domain , adding it to our hosts file and trying to access it

Doing some web enumeration on it, we see the Environment Variables which shows the details of the app and it tells us that it is made on Laravel framework

Searching on Google for the exploits on Laravel, we have a exploit available on metasploit

We set the options for the exploit with the required options

Our exploit ran successfully and we got shell as www-data

Enumerating the webroot directory, we have a .env file which has a DB_PASSWORD

Trying the password for the available users on the machine, we get hit successfully on user cry0l1t3

Time for privilege escalation

Unintended Way

As soon as I was logged in through SSH, there was a broadcast message displayed with the password for mrb3n leaking

Intended Way

Checking the groups of the current user , it is a group member of adm group

Finding files accessible to group members of adm, a lot of logs files were accessible to the current user and interesting ones were the audit log files

Checking those log files, we see that there are a lot of encrypted data

Decrypting all those data using CyberChef’s Magic decryption leads us to the password for mrb3n account

Connecting to the account was successful

Running the sudo -l command, the user can run /usr/bin/composer with sudo privileges

Taking reference from GTFOBins for this binary helped for getting root

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store