Msf6 > use unix/http/laravel_token_unserialize_exec To get user shell I followed the given steps. When I tried to exploit using this module I could get user shell very easily. This module has additional option of APP_KEY which is present below APP_ENV at. The metasploit module is unix/http/laravel_token_unserialize_exec. For more information about this vulnerability check this exploit-dblink. Soon I got information about LaravelI immediately googled for laravel exploits and luckily found a metasploit module for PHP Laravel Framework token Unserialize Remote Command Execution. Added this subdomain to my hostsfile located at directory /etc/. After login as admin got Academy Launch Planner admin page which contains a subdomain and nothing interesting found on this page. In my case the admin account credential is anything1: anything1. Uid=anything1& password=anything1& confirm=anything1& roleid=1Īfter forwarding the request your account will be registered as admin account. To register yourself as an admin user you have to first capture the request of register.php page into Burpsuiteand then simply change the value of parameter roleidto 1from 0and change the value of other parameters uid, password& confirmto something other than what you have used to register as normal user and forward the request. After spending sometimes on this site and playing with Burpsuitefound a way by which we can register and login to admin account. Tried to login with some default credentials like admin: admin& admin: passwordbut nothing worked. After going to this page located at URL admin login page. Directory Bruteforcingĭirectory bruteforcing revealed many files which also includes admin.php. So performed directory bruteforcing with $dirsearch (a well-known directory bruteforcing tool written in python) with its default wordlist. Then nothing left except for directory and file bruteforcing. So this time too I tried to do the same but unfortunately I was not allowed to do anything which I have talked about.Ĭhecked page-source for some clues in comment section but nothing interesting found in it. Like, if the web application allows us to upload our avatar then we can test for uploading php shell there and even we can also test for various injection attacks. Soon I get any register page during any CTF challenge then immediately I register with some fake credentials because as a registered user we may have more options to play with. Host File after ModificationĪfter going to registerand loginpages at URL. Added this domain pointing to IP 10.10.10.215to my hosts file located at directory /etc/so that if virtual host routingis enabled on this IP we would get other websites too. Further nmap script http-title shows redirects to domain academy.htb. OpenSSHon port 22and Apache2 web server on port 80are running. Nmap revealed port 22 and port 80 are open. I have used nmapfor scanning and the result is given below:- Scanning Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. Scanninggives us an idea how we have to proceed further. As usual, I started by scanning the machine. If all goes correct then it is time to start hacking.
#Academy hackthebox Pc
It is a Linuxbox with IP address 10.10.10.215and difficulty easy assigned by its maker.įirst of all connect your PC with HackTheBox VPN and make sure your connectivity with Academy machine by pinging its IP 10.10.10.215. Before starting let us know something about this machine. In this writeup, I have demonstrated step-by-step how I rooted Academy HackTheBox machine. This is Academy HackTheBox machine walkthrough.
0 kommentar(er)
