Hack The Box: Academy Writeup without Metasploit

Academy is an easy-rated box that required exploiting Laravel deserialization vulnerability(CVE-2018–15133) for an initial foothold and abusing sudo rights for composer to get root. Let’s just jump in.

RECON

We will begin reconnaissance with a full TCP Nmap scan

  • -T4 : Run faster scan
  • -sC : Specifies Nmap to run default scripts
  • -sV : Specifies Nmap to run service and version detection
  • -Pn : Treat all hosts as online (skip host discovery)
  • -p- : Scan all ports
  • -vv : Verbose output
  • -oA : Output all formats

The result of the Nmap scan is as follows:

We have three ports open:

  • Port 22: SSH (OpenSSH 8.2p1 Ubuntu)
  • Port 80: Apache HTTPd 2.4.41
  • Port 33060: MYSQLX

Enumeration

Let us begin enumerating the open ports, checking ports with a narrow range of attack vectors first.

Port 22

We have OpenSSH 8.2p1 running on a Ubuntu machine. A simple google search reveals that the Ubuntu version is probably Ubuntu Focal. The version of SSH is not associated with some major vulnerability so we will leave this port for now.

Port 33060

At Port 33060 we have MYSQLX running. This port is used by the MySQL clients to connect to the MySQL server. This connection uses the X-Protocol. This port is supported by clients like MYSQL-Shell or community MYSQL-Connectors, while the MySQL client and tools like mysqldump are using the classical Port. The X-Protocol is an alternate MYSQL query interface that includes an alternate API called X-Dev API. It allows you to access the data in JSON and also supports SQL. You can read more about it in the link attached. As we do not have credentials let’s leave this port for now.

Port 80

We have Apache 2.4.41 running on port 80. The Nmap scan shows that the webpage redirects to http://academy.htb/. This is a possible hostname. Add the hostname to /etc/hosts.

First, let us check the web-server info with WhatWeb.

Tee is a command-line utility that uses standard streams which reads standard input and writes it to both standard output and one or more files.

WhatWeb returns the following output:

Opening the URL in a web browser returns the following page.

The webpage has a Login and Register option. In the background run gobuster to discover hidden files and directories.

Exploitation

The first thing I tried was logging in with some common credentials like admin/admin, admin/password, root/password, etc. Unable to log in.

Let’s try to Register a new user. Whenever dealing with HTML forms it is a good practice to check the source code for hidden input fields or comments.

The Register form has a hidden input field with the name roleid and a default value of 0. Using the inspector tool in a Web Browser we can easily remove the type= “hidden” attribute and unhide the field. Now let us create a new user and change the roleid to 1 instead of the default value 0.

We have successfully created a new user. Login by clicking on the Login option. Logging into the web-app we get the following page.

The webpage has been built on PHP but I couldn’t find anything of interest here.

By this time Gobuster scan had finished and returned the following files/directories.

We have an admin.php page. Let’s try to Login with the user we created earlier. We are in…..!!!

So what the hell just happened? Well, it’s simple, the register.php page has a hidden input field with a roleid of 0. The database probably has a column of roleid where 0 is for a user and roleid 1 is for admin. The website has a separate page for admin login and when someone tries to log in to the admin.php page its roleid is checked. The application probably differentiates between a user and an admin on the basis of roleid. If the user has a roleid of 1 he is considered a valid admin. Hopefully, that makes sense.

The admin-page.php or the admin dashboard has a sort of To-Do checklist. We have few things of interest here.

  • We have two possible usernames: cry0l1t3 and mrb3n
  • We have a subdomain dev-staging-01.academy.htb.

Add the subdomain to the /etc/hosts file. Staging and dev subdomains are always interesting findings to look at as they might have errors, comments or features that are generally not visible on the actual website.

Visiting the URL displays the following webpage.

The webpage is broken due to insufficient permissions to /var/www/html/htb-academy-dev-01/storage/logs/laravel.log and displaying PHP/Laravel errors. Error messages are generally a treat and can display sensitive info. In our case, we have a few things of interest.

We have the Laravel app key and the database info.

The first thing I tried was connecting to the MYSQLX port with the database credentials.

No success. The MYSQLX port is probably configured to allow only localhost(127.0.0.1) to connect, as shown in the error message.

The next thing is to search what can be done with a Laravel app key.

Success. We have a CVE(CVE-2018–15133). Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. In simple words, Laravel version 5.5.40 and 5.6.x-5.6.29 are vulnerable to deserialization vulnerability.

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage or to send as part of communications.

Deserialization is the reverse of that process, taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON.

You can read more about the CVE and Deserialization in the following links:

We have a public exploit available at https://github.com/aljavier/exploit_laravel_cve-2018-15133

Download the exploit and run as follows

We have RCE. Let’s get a reverse shell.

We get a shell as www-data.

Privilege Escalation

Navigate to /var/www/html/academy/. We have a Laravel environment variable file .env available. Check the contents of the file.

We have the Database Password. Check the /etc/passwd for potential users.

We have a few users. Copy the users with shell and save to a file. Grab only the users with the following command.

Save the database password to a file.

Next, we will Bruteforce SSH with crackmapexec to check if we can reuse the database password.

We get a valid user cry0l1t3.

SSH into cry0l1t3 user with the credentials.

Download and run Linpeas.

Linpeas shows the following file has been updated in the last 5 minutes.
▪ /var/log/audit/audit.log

Linpeas also returns a password in /var/log/audit/audit.log.3 file.

The password seems to be in hex. Convert the hex characters to ASCII with an online converter.

We have a password. The password is probably for mrb3n user. SSH into mrb3n account.

We are mrb3n user. Let’s check for basic privesc vectors like SUID, Sudo, Groups and Cron Jobs.

The sudo command returns that we can run composer as sudo.

Check gtfobins. We can indeed abuse the sudo rights for composer. We will use the following set of commands to gain root.

We are root.

We can now grab the flags.

For suggestions/queries reach out to me on Twitter @accesscheck.

Web Developer | Security Researcher | OSCP | Noob