Academy
Academy
Academy 297
Academy
RETIRED MACHINE

Academy

Academy - Linux Linux
Academy - Easy Easy

4.7

MACHINE RATING

11647

USER OWNS

10553

SYSTEM OWNS

07/11/2020

RELEASED
Created by egre55 & mrb3n

Machine Synopsis

Academy is an easy difficulty Linux machine that features an Apache server hosting a PHP website. The website is found to be the HTB Academy learning platform. Capturing the user registration request in Burp reveals that we are able to modify the Role ID, which allows us to access an admin portal. This reveals a vhost, that is found to be running on Laravel. Laravel debug mode is enabled, the exposed API Key and vulnerable version of Laravel allow us carry out a deserialization attack that results in Remote Code Execution. Examination of the Laravel `.env` file for another application reveals a password that is found to work for the `cry0l1t3` user, who is a member of the `adm` group. This allows us to read system logs, and the TTY input audit logs reveals the password for the `mrb3n` user. `mrb3n` has been granted permission to execute composer as root using `sudo`, which we can leverage in order to escalate our privileges.

Machine Matrix

Ready to start your
hacking journey?