Hack The Box Walkthrough: Academy

6 min readMar 18, 2024

Summary

This is a technical walkthrough of the Academy machine from Hack the Box (HTB). This is a great box to practice scanning and enumeration techniques, reverse shell, and privilege escalation all in a capture the flag(CTF) format.

Difficulty level: Easy

Environment

Attacker machine: IP 192.168.230.129, OS Kali Linux 2023

Target machine: IP 192.168.230.132, OS Linux

Tools

Nmap, Hash-identifier, Hashcat, FFUF, LinPEAS, Pspy

Nmap scan

Port 22: SSH on a penetration assessment is great for brute forcing and testing for weak credentials, but because this is a CTF environment, I simply make note that this port is open and move on.

Port 21: FTP looks interesting. Anonymous login allowed, and there is a note.txt that could give information. I will probably want to start here.

Port 80: Apache 2 Debian signals it is probably running on php. There is also a default “It Works” page that I will want to check out.

FTP

Nmap shows anonymous login and a note.txt file. Once in, the ls command verifies this is true. In FTP I use the get command to transfer note.txt to my attack machine.

It says StudentRegno is used for login. This is very sensitive information. As seen in the email, you can match the database entries to the values. So thanks to jdelta, I have a username of 10201321 and a password of cd73502828457d15655bbd7a63fb0bc8 (which looks like a hash value).

Hash-Identifier and hashcat

Hash-identifier identifies this as a MD5 hash. I put this hash into a file called hash.txt and use this with hashcat.

And just like that, I have login information: 10201321/student.

HTTP and FFUF

Nmap tells me there is a default webpage.

I usually use a tool like Gobuster for directory and file enumeration, but I’ve been working at adding new tools to my arsenal, so for this machine, I use FFUF (Fuzz Faster U Fool).

I could check http://192.168.230.132/phpmyadmin, but I start with http://192.168.230.132/academy… simply because the name of the machine is Academy. Seems like a good place to start.

This is the http://192.168.230.132/academy page, and I enter the reg no and password that was found in note.txt.

I click through the tabs and find a profile tab that allows a person to upload her student photo. It would be interesting to see if it works to not only upload any photo of the student’s choosing (.jpeg or .png), but maybe also something like a text file or script. Are there any checks on this data form? It may be possible to abuse the file uploading system. If so, a reverse shell will give me a connection back. It is also worth noting that php is in use.

I use a php reverse shell from pentestmonkey that I configure with my attack ip and port 1234. Once I have the reverse shell php file saved, I set up a listener on that same port 1234. Once the attack machine is listening and waiting, it is time to start the connection.

I simply visit the academy site and upload the shell file.

A connection is established, but because I am not a root user, I will need to perform privilege escalation.

Privilege escalation and LinPEAS

The target is running Linux OS so I can use the linpeas script to search for opportunities for privilege escalation. I download the script from HackTricks-carlospolop onto my attack machine and host up a webserver so that the target machine can grab and run the file.

Now that linPEAS is running, it looks for paths of privilege escalation.

LinPEAS returned a lot of information to read through. Most notable is an admin account for grimmie and an admin password. There is also a backup.sh file that can be used. I will try to log on as grimmie using this password.

SSH

After successfully logging on as grimmie, I notice that I still do not have sudo access. I take a look at the backup.sh file. It appears to be doing a backup of the academy. My guess is that it is probably running a script periodically somewhere to perform this backup. I didn’t see any cron tasks in linPEAS for this backup, nor did I see any jobs with the crontab -l command.

pspy

Pspy is a command line tool that can capture processes and activity in real time without the need of root permission. I use this tool to see if I can find the backup running.

After downloading pspy onto my attack machine, I have the target machine grab it using the web server that I used earlier.

Pspy is able to find the back up running, and it appears to be running about every minute or so. So now that I know that this process is running, I return to the grimmie account to see if I can use this process to run a reverse shell.

Reverse Shell

The listener port is set on the attack machine using port 8080. The next step is to change the backup.sh file by deleting the contents and changing it to a bash reverse shell one liner.