New Page

[email protected]:~$ nmap -p- -A -sC -sV 10.10.10.215
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-18 19:13 MST
Nmap scan report for 10.10.10.215
Host is up (0.068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000

 

 

Created login, used burp to change role ID.

Found /admin.php, logged on with user above

dev-staging-01.academy.htb

Took APP_KEY token from stack trace for laravel exploit

https://www.exploit-db.com/exploits/47129

Reverse shell: user: www-data

www-data user is locked to a single directory, but it can read other directories

Home users with data:

21y4d b - standard hidden bash

ch4p- standard hidden bash

cry0l1t3 - linpeas. user.txt,

linpeas.sh has interesting lines:

/etc/master.passwd

#Misconfigured /etc/ld.so.conf.d/ https://book.hacktricks.xyz/linux-unix/privilege-escalation#etc-ld-so-conf-d

#https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation\

Not sure what these 2 lines look like ^

/var/www/html/academy/.env:DB_PASSWORD=mySup3rP4s5w0rd!!

^use password to ssh into cry0l1t3 and get user flag

I used linpeas -l 2 and directed output to a file

[+] Checking for TTY (sudo/su) passwords in logs
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "[email protected]!",<nl>

Once you're in mrb3n, run linpeas or lse.sh, you will find one program this user can run as sudo

Composer has a section to run scripts as whoever run composer.....(run as sudo = run as root)

Write a script to cat root.txt, or change root's password, or reverseshell.

Rooted