New Page

[email protected]:~$ nmap -p- -A -sC -sV
Starting Nmap 7.91 ( ) at 2020-11-18 19:13 MST
Nmap scan report for
Host is up (0.068s latency).
Not shown: 65532 closed ports
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000



Created login, used burp to change role ID.

Found /admin.php, logged on with user above

Took APP_KEY token from stack trace for laravel exploit

Reverse shell: user: www-data

www-data user is locked to a single directory, but it can read other directories

Home users with data:

21y4d b - standard hidden bash

ch4p- standard hidden bash

cry0l1t3 - linpeas. user.txt, has interesting lines:


#Misconfigured /etc/


Not sure what these 2 lines look like ^


^use password to ssh into cry0l1t3 and get user flag

I used linpeas -l 2 and directed output to a file

[+] Checking for TTY (sudo/su) passwords in logs
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "[email protected]!",<nl>

Once you're in mrb3n, run linpeas or, you will find one program this user can run as sudo

Composer has a section to run scripts as whoever run composer.....(run as sudo = run as root)

Write a script to cat root.txt, or change root's password, or reverseshell.