HTB Academy

Writeup for Academy box on

Initial enumeration

Inital port scan

sudo nmap -sC -sV -vv -oA tcp && sudo nmap -sC -sV -vv -oA allports -p-

Nmap Scan

When we browse to the IP we get redirected to academy.htb so let's add that to our hosts file.

Once there we are presented with a login / register link.

Creating an account with test/test allows us to login and see a panel of data.

Proxying our traffic through burp shows us that the application is contacting a /api/modules path, this looks intresting.

Burp Traffic proxy

The api paths are 404-ing so moving on.

Running ffuf on the main application

ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://academy.htb/FUZZ -c -e .php,.txt,.zip


Checking the original register request, we notice that we are seding in a roleid=0 Change the role to 1 and see what happens


After we create a new account and try to login to the admin.php page we get some more information: Admin page

We discover a new subdomain so we add it to our hosts file

While accesing the website on this subdomain we discover it's a Laravel framework application but showing an error page, this tells us it's also in debug mode

laravel debug page

Trying to connect to MySQL on port 33060 fails without an error.

Initial foothold

There is an metasploit exploit for laravel

Metasploit usage

Browsing to the /var/www/html/academy folder we discover this is also a laravel app and we get a set of credentials for mysql


Using the password from mysql we try and login with the users found in /home/


We get a hit

Hydra ssh bruteforce

User enumeration

Our user is in the adm group and we have permissions to read some log files, let's see what we can find.

We can read auth and audit logs.

Let's run linpeas to see if it can find something interesting for us:

And we get something interesting

LinPeas Output

Credentials: mrb3n / mrb3n_Ac@d3my!

After ssh-ing in as mrb3n and testing sudo -l we seem to be able to execute composer as sudo


Privilege escalation

Looking a we can actually execute a bash command while running composer

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

Privilege Escalation