Academy — HackTheBox WalkThrough

Source — HTB

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.


Nmap Result
edit hosts file
HTTP Access
Hidden Field

TL;DR — <input type=”hidden”>

A hidden field let web developers include data that cannot be seen or modified by users when a form is submitted.
A hidden field often stores what database record that needs to be updated when the form is submitted.
Note: While the value is not displayed to the user in the page’s content, it is visible (and can be edited) using any browser’s developer tools or “View Source” functionality. Do not use hidden inputs as a form of security! Source

Change roleid
Admin Panel
Add Virtual Host
Access Virtual Host
Env Variable

TL;DR — CVE-2018–15133

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

laravel exploit

Options to Set in Metasploit

Reverse Shell
Access Denied
Manual Search
Search Result
DB Password
User Access
User Flag
Sudoers File
user creds
mrb3n user
sudo -l result
root flag

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store