Academy Walkthrough HackTheBox
So first of all you have to host the box.
nano /etc/hosts
Then first things first we have to scan the open ports.
As we know that there is 2 ports open ssh & http.
Let’s enumerate http first.
Lets find some hidden directories. So lot’s of .php pages. Let’s first get registered on the platform. After getting registered we are redirected to a login.php. Enter the credentials and we logged-in successfully. Nothing interesting in the platform.
Then I decided to intercept the data when we register on the platform and encountered something new “roleid =0”.
This time I changed the value to “1” and forwarded the data, but again I am redirected to login.php.
Now I repeated the same process but instead of going to the login.php, I went to admin.php, and boom we got some foothold.
Now add this sub-domain to your hosts.
Horizontal Privilege Escalation
Listing the home directory we can see lots of users. I wasted time a lot then realized the image having mentioned user cry0I1t3. So first, we have to escalate our privilege horizontally to user cry..t3. Exhausting my brain a lot I then searched for Laravel important files. Opening the file gives me the password of the user cry0I1t3.
Now switch to the user cry0I1t3 and check if he has any sudo privilege or not.
Vertical Privilege Escalation
So, this user can run the “composer” command. Visit GTFobins for privilege escalation.
Boom we are in r🤠🥳t.
NOTE:- So, after getting the root HASH I went through all the write-ups which are encrypted, and learned something new.
Generate a pair of SSH key using ssh-keygen. Now copy the public key(id_rsa.pub) and paste-like this 👇 (x → SSH)
Now run the composer and it will add the key to /root/.ssh/authorized_keys.
Now change the permission of public-key(id_rsa) to 600 and use the following 👇 to get root access. Access all the flags.
For more walkthroughs stay tuned…
