Hack the Box — Academy

Reconnaissance

Run an nmap scan that scans all ports.

sudo nmap -sC -sV -O -p- -oA nmap/nmap 10.10.10.215

We get the following result.

....
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
....
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
....

We have three ports open.

• Port 22: running OpenSSH 8.2p1
• Port 80: running Apache httpd 2.4.41
• Port 33060: running MySQL X

Before we move on to enumeration, let’s make some mental notes about the scan results.

• The OpenSSH version that is running on port 22 is not associated with any critical vulnerabilities, so it’s unlikely that we gain initial access through this port, unless we find credentials.
• Port 80 is running a web server, so we’ll perform our standard enumeration techniques on…