# [[Academy (Box)]]
### Port Scanning and general enumeration (Nmap, FFuF)
Webserver and something to do with mysql on that high port. Let's enumerate the webserver
Browsing using the url, gives us an error pointing to `academy.htb`. Adding the url and `academy.htb` to our hosts file fixes the error.
We have the ability to **LOGIN** and **REGISTER**. After registering and logging in we're greeted with a `home.php` page that is seemingly the **HTB Academy**, but nothing works! Well, we know that the site is built on `php` so let's toss a `FFuF` at it fuzzing for `.php` files
Requires credentials that we don't have.
### Access (BurpSuite, metasploit)
Let's go back and take a closer look at the registration process by capturing the request in `BurpSuite`
Interesting parameter. `roleid`? Let's change that to `1` and send it off. What happens if we try to use this new account with the `roleid` of `1` to log into the admin section?
We're in! Let's add `dev-staging-01.academy.htb` to our hosts and navigate to it.
Error page, but lots of information here. Looks like `database` usernames and passwords. App name is `Laravel` and even the app key! I couldn't find a version number for `Laravel`, but let's see if `metasploit` has anything for us
Lookingg good. Outside of the ordinary options it requires the `APP_KEY` (that base64 string we found earlier) and the `VHOST` which in our case is `dev-staging-01.academy.htb`
Let's fire it off and get our shell.
### Privesc (linPEAS, Composer)
Doing some manual enumeration on the box there are a couple things to note. First, there are *six* users with an interactive shell.
And the `.env` file for `htb-academy-dev-01`, it had much of the same information from the error page we found earlier. But since it's basically a staging branch of the site, what if the original `academy` site has an `.env` file too?
I wonder if any of those six users is the database dev? Maybe they reuse passwords?
Trying that password with each user until I found that the password works for the `cry0l1t3` user
So now we're `cry0l1t3`, what can we do?
Turns out, not a lot. Let's run `linPEAS` and see if there are any privesc vectors we can use
Oh? Some horizontal movement? Well, `mrb3n`, what can *you* do?
Hey, this user can actually sudo. Checking `GTFOBins` we find
Follow the instructions and claim your prize!
Back to [[HackTheBox Index]]
Tags: #htb #hackthebox #box_writeups #laravel #metasploit