Got it! Those were the credentials being used to connect to the database: root:GkEWXn4h34g8qx9fZ1. Then, while going over the files I remembered about the config.php file that I saw during my directory bruteforcing and decided to check it out. Trying to access the DB with new credentials The credentials were different: dev:mySup3rP4s5w0rd!!. I knew there had to be some valid credentials lying around, so I kept on digging and found that on the academy directory was the same file with different size. This was strange since the database was working when registering (otherwise we wouldn’t be able to create a new user). I tried to use them to check the database contents but had no luck. env contained some interesting DB_ credentials: homestead:homestead.
ACADEMY HACKTHEBOX CODE
I started by enumerating the /var/www/html/htb-academy-dev-01/ directory that contained the code for the dev vhost. Then we just run it and get a shell as www-data.
One thing to take into account is that it needs the dev vhost in order to work. There is a Metasploit module that we can use to exploit this issue. In some cases the APP_KEY is leaked which allows for discovery and exploitation. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Now, if you are not aware, the APP key can be used to gain RCE because of an insecure unserialize call: I dug through the Envirnoment & details section and found the APP key. I added the new vhost to my hosts file and upon visting it I was greeted with a Laravel exception! Then I tried to log in to the admin panel I had seen earlier and could access it with this new account! I imagined that could indicate whether the user was an admin or not, so I changed it to 1. To my surprise there was a parameter, roleid, set to 0.
ACADEMY HACKTHEBOX REGISTRATION
I was a bit lost so I started monitoring requests with Burp to see how the registration flow was implemented. I got my hopes up too much, as config.php just returned a blank page and admin.php was just a login page.įrom here on it seemed clear, I had to find a way to escalate my normal user privileges to be an admin. php extensions I tried to enumerate more PHP files.Ĭool! Looks like admin.php and config.php could be interesting. Noticing that the endpoints I had seen before all had. However, none of the details I entered are displayed, instead I get the account of a user named egre55 (creator of the box).Īfter inspecting everything I couldn’t find anything interesting, so I fired up ffuf and started directory bruteforcing. There seems to be a login / register functionality, so I signed up for an account: We can see some sort of HTB Academy website with courses. Not too much, just SSH and HTTP on the standard ports. # Nmap done at Sat Dec 12 19:26:37 2020 - 1 IP address (1 host up) scanned in 8.28 seconds
Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-server-header: Apache/2.4.41 (Ubuntu) Nmap scan report for academy.htb (10.10.10.215)Ģ2/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux protocol 2.0)Ĩ0/tcp open http Apache httpd 2.4.41 ((Ubuntu)) # Nmap 7.80 scan initiated Sat Dec 12 19:26:28 2020 as: nmap -sV -sC -oA nmap/initial academy.htb
0 kommentar(er)
