[Academy hack the box][Shells & Payloads][The Live Engagement][Lightweight facebook-styled blog 1.3]

In foothold PC is old version, to see the browser open the terminal and command “firefox” then you can see the browser.

1 Like

You can start firefox from the browser by typing firefox then the address like status.inlanefreight.local and your path to the file. Make sure you add & at the end so you can still use your terminal.

Hey wanted to help anyone that is struggling with this module. If you want to check out the website manually to get a feel for what you are working with or to try manual exploitation (Best of luck) then load up burpsuite. Msfconsole will work well for you in this section using the 50064 exploit module. The tricky part that most everyone is struggling with is the weird error when you don’t set the options correctly.

Here is what you should do/think about. What is a VHOST? It may not show it as required but it definitely is as you are working with a subdomain of the main inlanefreight.local domain. How would the exploit know where to go specifically as someone can name their blog something quite differently. SOOOO what would you need to specify for the module to travel to in order to execute the module. XXXX.inlanefreight.local

3 Likes

EDIT: nevermind, just figured out what was missing <3

Hello all,

can you help me with the final payload for the host-2?

using metasploit module 50064, i am entering the following options

Module options (exploit/50064):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   admin123!@#      yes       Blog password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][.
                                         ..]
   RHOSTS     172.16.1.12      yes       The target host(s), range CIDR identifier, or hosts file
                                         with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI of the arkei gate
   USERNAME   admin            yes       Blog username
   VHOST      blog             no        HTTP server virtual host


Payload options (php/meterpreter/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  172.16.1.12      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   PHP payload

but still getting the following error:

[-] Exploit failed: NoMethodError undefined method `split' for nil:NilClass
[*] Exploit completed, but no session was created.

looking forward to your message
Thank you in advance,
R

You’re using the wrong IP. I was having issues and then used your payload but used the 172.XX.XX ip address instead based on other hints.

1 Like

I solved the first host, but how did you find the credentials without using the hint? I used Metasploit to try to find them and got nothing. I didn’t try using another password list, so if you all did, that would make sense.

what’s the clue here i’m missing ? i’m so lost

i used the ip that ended in .5 but still got that error message above, is there another ip i should be using ?

could you give me a hint ?

Hey @trav,

If I can recall, the tricky part with the exploit, is to configure the correct VHOST.

DM me to have a look together on it, if you still have troubles getting this correct.

Regards,
Rdts

Ive used msfconsole and im using the exploit(windows/smb/ms17_010_psexec) just like in the “Infiltrating windows” module and it keeps giving me “Exploit completed, but no session was created”. the payload is (windows/meterpreter/reverse_tcp)

Edit: for anyone who gets the same issue, use a bind shell

I used the jsp webshell provided within the foothold machine (/usr/share/webshells/jsp/jsp-reverse.jsp)
converted it into a war file by putting it in its own folder and doing “jar cvf demo.war *”.
when I uploaded it to Host 1 and tried navigating to \files\demo.war there was a 404 error

Hello,

Just for curiosity. I managed to extract the info for HOST-01, the problem is that I read in the chat many people using the jsp-reverse.jsp, but when I tried it, Tomcat showed the following error:

org.apache.jasper.JasperException: /jsp-reverse.jsp (line: [7], column: [1]) Unterminated [&lt;%@ page] tag

I tried both, with the one already present in the parrot box, and downloading it from internet (https://raw.githubusercontent.com/tennc/webshell/master/jsp/jsp-reverse.jsp). But same error…

At the end I had to use the cmdjsp.jsp to respond the questions for that machine. Any clue about what could be happening?

Thanks for the “bind” help. Now, can anyone explain why payload reverse tcp doesnt work, but the bind tcp does?

This was a very interesting module and I thoroughly enjoyed it. Crafting payloads to get a reverse shell is just bada$$.
However…For the other 2 questions on Host 2 (blog.inlanefreight.local), while I didn’t utilize the hints, I was eventually able to solve them because the second question stated the particular exploit. So I knew to go ahead and use it.
My question is how would I have known to use that exploit?
I tried to browse to both the IP address and the FQDN but no luck.
The IP address just said “This is the inlanefreight.local default vhost”.
Browsing to the FQDN was not possible.
Nmap TCP scan only listed HTTP and SSH
UDP scan didn’t show anything.
I was able to solve it only because the question sort of gave it away. I really would love to know what to look for, in real life scenarios.

1 Like

How did you fix this error??

If I can recall, the VHOST parameter was incorrect.

Hey @cybersapper,

Out of this lab, this was the one thing that drove me crazy. I ended up finding the tomcat and other credentials in a specific file on the foothold machine (/htb-student/Desktop)

Hopefully this clarifies that up for anyone out there, Happy Hunting!

consegui tudo, menos o caminho da flag, já tentei usar o find. mas nada me traz no resultado

i think the point for host2 was to teach you how to load an exploit manually or how to search from them out of the msf console. but curious, so you were able to solve without being able to browser host2? i can’t finish host2 and host3 coz i’m always getting timed out or connection reseted by peer.