Hack the Box — Academy

Rana Khalil
10 min readFeb 27, 2021

Reconnaissance

Run an nmap scan that scans all ports.

sudo nmap -sC -sV -O -p- -oA nmap/nmap 10.10.10.215

We get the following result.

....
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
....
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
....

We have three ports open.

  • Port 22: running OpenSSH 8.2p1
  • Port 80: running Apache httpd 2.4.41
  • Port 33060: running MySQL X

Before we move on to enumeration, let’s make some mental notes about the scan results.

  • The OpenSSH version that is running on port 22 is not associated with any critical vulnerabilities, so it’s unlikely that we gain initial access through this port, unless we find credentials.
  • Port 80 is running a web server, so we’ll perform our standard enumeration techniques on it. We also see that the IP address gets redirected to the domain name academy.htb, therefore, we’ll need to add that domain name to our hosts file.
  • Port 33060 is running MySQL X. This port is used by mysql clients to connect to the mysql server using the x-protocol. I personally have not used this port before to attack a box, so we’ll have to do more research on this port if attacking the other ports does not pan out.

Enumeration

We start off with enumerating HTTP. First, add the domain name to the /etc/hosts file.

10.10.10.215    academy.htb

Next, visit the application in the browser.