Official Academy Discussion

One of the faster ones. Enjoyed it. After quite a bit of enumeration and understanding what’s involved, I quick script popped open a foothold shell. Pretty sure I was NOT supposed to see the “magical word” to get from one user to another user by looking at “what’s going on”. From that user to root was reasonably easy, I had expected much worse for a moment :wink: Thanks for the machine!

I am struggling with the foothold. I am getting redirected to http://acadmey.htb/. I have run go****er with multiple dictionaries. They are getting 302 error codes. I just want to make sure this is working correctly. Thanks

Type your comment> @reno42 said:

Must be completely blind, i don’t see where i could change something to get more rights…

Have you checked out the useful tool named after a bodily function?

Could anyone PM me some hints for lateral movement?

@mhmchung i will …

Someone give me a nudge please.
I changed a param by burp, and it took me into a special page, throught that page I saw souce code error messsages and some important information, but I don’t know what should I do next. Thx.

Thx, fun box.
I think there are more than enough hints here already, so I don’t really think it is any good giving more:)

Finally Rooted!

Feel free to PM me for nudges, as I found them especially helpful for this box.

Some hints you have probably seen before:

Foothold: If you haven’t found anything, look harder. There will be a value you can change to become privileged. (:
User1: As stated before, make sure you have the ability to recursively search through files upon files until you find what you’re looking for. Academy has all of the secrets you need.
User2: You are part of something, let it help lead you to a location that will hold everything you need. Google will be essential to find out how to use these files. You may not get it straight away.
Root: So easy, you don’t even need a hint for this one.

Try Harder!

First of all: thanks. this was one of the funniest box i’ve done in the last months…
Secondarily: this is one of those boxes that seems to have been built around the idea of making the attacker feel “uncomfortable”…
…but maybe better say “dumb”!
Take it this way: It’s definitely an easy machine, ok?!?
No major skills are needed, foothold is so ■■■■ evident that it’s impossible to say something without spoiling it.
User is right there, in plain sight.
Then you go down a clear path to root and you’ll eventually can get fooled for hours, like me, because you would never ever think that such a plain and easy path could be the right way…
If you’re dumb like me you’ll end up chaining and piping commands after commands, exploring every option of your favourite parsing/finder/regexp matcher…
Then you’ll eventually ask for help (thanks @mittermayr and @grag1337 ), but they’ll be rightly reluctant to tell you what’s obvious…
…then you’ll find out what’s obvious…and you’ll feel dumb. like me now.

That was such a nice box!
It feels great to finally have a decent easy box.
Congrats for the devs!

Type your comment> @jkana101 said:

Rooted. An OSCP-like box. Recommend for who gonna have OSCP exam

well this explains why I failed then :pensive:

jokes aside, IDK. stumped on user > 2nd user but i know what i need to look at. that part and the initial foothold exploit does seem OSCP-like but i doubt OSCP would require this much searching (or, likely, i’m doing it in an inefficient way.)

I would be really happy if someone could PM me with a little nudge. I’m going crazy here. :smiley:

I have found the magic page and used some of the info there which works, but after that I’m in trouble.

Can someone PM me im on the dev page and found the tool to use on it but not sure how to get past this point. I don’t want to spoil too much and i’m not sure what’s considered a spoiler bc foothold was straightforward.

Pheeewww, finally rooted. The 2nd user was a bit tricky…

can someone pm me a nudge after the la****l exploit i’m stuck here for 2 hours

Would someone be able to nudge me? I know where i need to change a value to escalate my privilege on the website but I have no idea how to go about finding the correct value to use, nor how to properly enumerate. I tried burp intruder but only received a bunch of errors.

I’m also curious as to whether the site should look broken? None of the links I click work correctly, not even logout. I have no idea if it’s intentional or not.

Nice box! Don’t forget to update your enum scripts.

I am having issues with http://academy.htb/ . It keeps saying server IP can not be found. Is anyone else facing this issue?

Type your comment> @zedgell said:

I am having issues with http://academy.htb/ . It keeps saying server IP can not be found. Is anyone else facing this issue?

Try putting ‘academy.htb’ and the ip in your hosts file

@panicfox said:
Would someone be able to nudge me? I know where i need to change a value to escalate my privilege on the website but I have no idea how to go about finding the correct value to use, nor how to properly enumerate. I tried burp intruder but only received a bunch of errors.

I’m also curious as to whether the site should look broken? None of the links I click work correctly, not even logout. I have no idea if it’s intentional or not.

You don’t need the links, just pay attention to the registration and auth mechanisms. Open the hood and go through the whole process, when you find it it should be obvious what number to use.