# [[Academy (Box)]] --- ### Port Scanning and general enumeration (Nmap, FFuF) --- ![50d2e12ca1c5601d914184b0bf6661d9.png](d3ac682d8f4f49b0891c32ce15910d36.png) Webserver and something to do with mysql on that high port. Let's enumerate the webserver Browsing using the url, gives us an error pointing to `academy.htb`. Adding the url and `academy.htb` to our hosts file fixes the error. ![d9b796c2518f250cc3e196ccbe0eb039.png](ce4343ec1c9e4b90904b50509505f589.png) We have the ability to **LOGIN** and **REGISTER**. After registering and logging in we're greeted with a `home.php` page that is seemingly the **HTB Academy**, but nothing works! Well, we know that the site is built on `php` so let's toss a `FFuF` at it fuzzing for `.php` files ![f1a45e5bdfff327692798c5ae8316ec2.png](c885217dc1fb4b35a4a3d984094b9cab.png) admin page?? ![600d708b15aa6245d4e1f119448ca2c9.png](10878171d4794211b363d9784b234924.png) Requires credentials that we don't have. ### Access (BurpSuite, metasploit) --- Let's go back and take a closer look at the registration process by capturing the request in `BurpSuite` ![3cb756c61815290b3012361822aba719.png](1e9fed2ad8d54959814ce400a2eb7168.png) Interesting parameter. `roleid`? Let's change that to `1` and send it off. What happens if we try to use this new account with the `roleid` of `1` to log into the admin section? ![d796be56df0fb9fcd90b062c88f8385e.png](a29201aa6585415c8a36dbf124eff8a8.png) We're in! Let's add `dev-staging-01.academy.htb` to our hosts and navigate to it. ![bc446c11ff7ed6a713e46272c63cc8b6.png](aae9fa87619440aba882e0f7e57c7cb6.png) Error page, but lots of information here. Looks like `database` usernames and passwords. App name is `Laravel` and even the app key! I couldn't find a version number for `Laravel`, but let's see if `metasploit` has anything for us ![632e8e270fb1bf74266e1332fdfb6319.png](744915a56d4f4839a4b12b9cd51938fe.png) Lookingg good. Outside of the ordinary options it requires the `APP_KEY` (that base64 string we found earlier) and the `VHOST` which in our case is `dev-staging-01.academy.htb` Let's fire it off and get our shell. ### Privesc (linPEAS, Composer) --- Doing some manual enumeration on the box there are a couple things to note. First, there are *six* users with an interactive shell. ![bd18df03d8ca4912425864bbe2ba0666.png](a891ff403b1c4b2b80409a94b48b432b.png) And the `.env` file for `htb-academy-dev-01`, it had much of the same information from the error page we found earlier. But since it's basically a staging branch of the site, what if the original `academy` site has an `.env` file too? ![58ef3370131c257ec326df416e40e199.png](b33ecf29136a4be38f1ff02724b2527f.png) I wonder if any of those six users is the database dev? Maybe they reuse passwords? Trying that password with each user until I found that the password works for the `cry0l1t3` user So now we're `cry0l1t3`, what can we do? ![9721cd91f2fea2c49254df819f1cc5e3.png](c75157f998214d2f9fdf881effad76cd.png) Turns out, not a lot. Let's run `linPEAS` and see if there are any privesc vectors we can use ![d7a42a1215b856dff146ef9bd0cfe6df.png](aef0b7cd2a054ae2bc6d4433a2059053.png) Oh? Some horizontal movement? Well, `mrb3n`, what can *you* do? ![168620a022b794072aeb5bbceef4aad0.png](1bd45b8cf83d4d258b66f4dc5c21e5bd.png) Hey, this user can actually sudo. Checking `GTFOBins` we find ![61cfec628e037cb1431eaf7446206735.png](8c2c9251ac5a4a2d96aacd9d6d8af024.png) Follow the instructions and claim your prize! ![238c19ca94b4dbdbda928c0227ec8cf4.png](8907e33e73484a5d841a2977a2aa707d.png) --- Back to [[HackTheBox Index]] Tags: #htb #hackthebox #box_writeups #laravel #metasploit Related: