I’m not really sure how to trigger the payload. Navigating directly to shell-files only downloads them from the https site. I believe I should be using ["shell"."win-based-web-extension"] but i’m not 100% sure, or maybe I should try using something like *WhiteWolf
If there’s an “access-uploads” directory on one of the landing pages then I haven’t found it. Any suggestions?
Shells aren’t under ‘‘root’’ of the http page, either and dir-forcing I haven’t found anything. I can see that ftp uploads are connected by the page but that’s it. I don’t think they’re connected to XAMPP
Can anybody help me here? I found user and password and the CVE, but how do I upload my webshell to the server in order to access it? I’m confused by the syntax of the exploit.
Read the documentation which you can access in dashboard, there is valuable info where you can possibly upload/writte something what need’s to be windows oriented and maybe revisit the sql section in the course.
You need to think about the concept where for example dashboard and other web sites are located on the C:\ drive, the info where are located is in in the documentation which you can access from the dashboard on the web. There you should find the location where to upload the shell.
Maybe it is the page where you landing the most and you just need to find where is it stored in WIndows and that will be your location for uploading the shell, and then call it from the web.
I`ve been trying to look for that info… in the sql databases, the page source… I can’t access the ftp server… I’ve been searching on google where is that page supposed to be stored but I can’t find anything…
There are at least two ways how to obtain the flag, i did it with web shell not a reverse shell. But in general.
Find the user and user’s password, smtp_enum and hydra are your friends.
Login with that user to DB.
In the module there is a section about writing rights in DB.
Find the location where to upload your shell, because we all know we are talking about app called. xampp it will be something like C:\xampp*****\yourshell.php.
Craft the shell with the need for the operating system you are facing.
Upload the shell, call it from web and use commands to obtain the flag.
Sorry man but… how do I “find the location where to upload my shell” I`m looking into the module section and they give you a command that I run but obviously gives me an error… I read the link of the “MariaDB Select into file” but I don’t understand how to use it… I tried some of the commands in the link but no luck… I also try to log in through FTP but it always asks me for root’s password…
Regarding the writing, google select outfile webshell and you need it for windows, in the module you got example for linux. Regarding the location, check the phpinfo on the dashboard site.
I got to the point where I was able to get the brute force and get the user, the password, get into FTP, figure out where to upload, do the select into outfile method for windows, but couldn’t figure it out from there. For anyone who was lost and needs to upgrade to a meterpreter session to make their life easy this was really helpful: Web Shell – OutRunSec
