Hack the Box — Academy

Rana Khalil
10 min readFeb 27, 2021


Run an nmap scan that scans all ports.

sudo nmap -sC -sV -O -p- -oA nmap/nmap

We get the following result.

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000

We have three ports open.

  • Port 22: running OpenSSH 8.2p1
  • Port 80: running Apache httpd 2.4.41
  • Port 33060: running MySQL X

Before we move on to enumeration, let’s make some mental notes about the scan results.

  • The OpenSSH version that is running on port 22 is not associated with any critical vulnerabilities, so it’s unlikely that we gain initial access through this port, unless we find credentials.
  • Port 80 is running a web server, so we’ll perform our standard enumeration techniques on…