In foothold PC is old version, to see the browser open the terminal and command “firefox” then you can see the browser.
[Academy hack the box][Shells & Payloads][The Live Engagement][Lightweight facebook-styled blog 1.3]
You can start firefox from the browser by typing firefox then the address like status.inlanefreight.local and your path to the file. Make sure you add & at the end so you can still use your terminal.
Hey wanted to help anyone that is struggling with this module. If you want to check out the website manually to get a feel for what you are working with or to try manual exploitation (Best of luck) then load up burpsuite. Msfconsole will work well for you in this section using the 50064 exploit module. The tricky part that most everyone is struggling with is the weird error when you don’t set the options correctly.
Here is what you should do/think about. What is a VHOST? It may not show it as required but it definitely is as you are working with a subdomain of the main inlanefreight.local domain. How would the exploit know where to go specifically as someone can name their blog something quite differently. SOOOO what would you need to specify for the module to travel to in order to execute the module. XXXX.inlanefreight.local
EDIT: nevermind, just figured out what was missing <3
Hello all,
can you help me with the final payload for the host-2?
using metasploit module 50064, i am entering the following options
Module options (exploit/50064):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin123!@# yes Blog password
Proxies no A proxy chain of format type:host:port[,type:host:port][.
..]
RHOSTS 172.16.1.12 yes The target host(s), range CIDR identifier, or hosts file
with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI of the arkei gate
USERNAME admin yes Blog username
VHOST blog no HTTP server virtual host
Payload options (php/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 172.16.1.12 no The target address
Exploit target:
Id Name
-- ----
0 PHP payload
but still getting the following error:
[-] Exploit failed: NoMethodError undefined method `split' for nil:NilClass
[*] Exploit completed, but no session was created.
looking forward to your message
Thank you in advance,
R
You’re using the wrong IP. I was having issues and then used your payload but used the 172.XX.XX ip address instead based on other hints.
I solved the first host, but how did you find the credentials without using the hint? I used Metasploit to try to find them and got nothing. I didn’t try using another password list, so if you all did, that would make sense.
what’s the clue here i’m missing ? i’m so lost
i used the ip that ended in .5 but still got that error message above, is there another ip i should be using ?
could you give me a hint ?
Hey @trav,
If I can recall, the tricky part with the exploit, is to configure the correct VHOST.
DM me to have a look together on it, if you still have troubles getting this correct.
Regards,
Rdts
Ive used msfconsole and im using the exploit(windows/smb/ms17_010_psexec) just like in the “Infiltrating windows” module and it keeps giving me “Exploit completed, but no session was created”. the payload is (windows/meterpreter/reverse_tcp)
Edit: for anyone who gets the same issue, use a bind shell
I used the jsp webshell provided within the foothold machine (/usr/share/webshells/jsp/jsp-reverse.jsp)
converted it into a war file by putting it in its own folder and doing “jar cvf demo.war *”.
when I uploaded it to Host 1 and tried navigating to \files\demo.war there was a 404 error
Hello,
Just for curiosity. I managed to extract the info for HOST-01, the problem is that I read in the chat many people using the jsp-reverse.jsp, but when I tried it, Tomcat showed the following error:
org.apache.jasper.JasperException: /jsp-reverse.jsp (line: [7], column: [1]) Unterminated [<%@ page] tag
I tried both, with the one already present in the parrot box, and downloading it from internet (https://raw.githubusercontent.com/tennc/webshell/master/jsp/jsp-reverse.jsp). But same error…
At the end I had to use the cmdjsp.jsp to respond the questions for that machine. Any clue about what could be happening?
Thanks for the “bind” help. Now, can anyone explain why payload reverse tcp doesnt work, but the bind tcp does?
This was a very interesting module and I thoroughly enjoyed it. Crafting payloads to get a reverse shell is just bada$$.
However…For the other 2 questions on Host 2 (blog.inlanefreight.local), while I didn’t utilize the hints, I was eventually able to solve them because the second question stated the particular exploit. So I knew to go ahead and use it.
My question is how would I have known to use that exploit?
I tried to browse to both the IP address and the FQDN but no luck.
The IP address just said “This is the inlanefreight.local default vhost”.
Browsing to the FQDN was not possible.
Nmap TCP scan only listed HTTP and SSH
UDP scan didn’t show anything.
I was able to solve it only because the question sort of gave it away. I really would love to know what to look for, in real life scenarios.
How did you fix this error??
If I can recall, the VHOST parameter was incorrect.
Hey @cybersapper,
Out of this lab, this was the one thing that drove me crazy. I ended up finding the tomcat and other credentials in a specific file on the foothold machine (/htb-student/Desktop)
Hopefully this clarifies that up for anyone out there, Happy Hunting!
consegui tudo, menos o caminho da flag, já tentei usar o find. mas nada me traz no resultado
i think the point for host2 was to teach you how to load an exploit manually or how to search from them out of the msf console. but curious, so you were able to solve without being able to browser host2? i can’t finish host2 and host3 coz i’m always getting timed out or connection reseted by peer.