Attacking Common Services - Easy

I’m not really sure how to trigger the payload. Navigating directly to shell-files only downloads them from the https site. I believe I should be using ["shell"."win-based-web-extension"] but i’m not 100% sure, or maybe I should try using something like *WhiteWolf

If there’s an “access-uploads” directory on one of the landing pages then I haven’t found it. Any suggestions?

Shells aren’t under ‘‘root’’ of the http page, either and dir-forcing I haven’t found anything. I can see that ftp uploads are connected by the page but that’s it. I don’t think they’re connected to XAMPP

I have not found anything, have you figured this out?

The user and passwd was easy just this executing the payload yikes.

Can anybody help me here? I found user and password and the CVE, but how do I upload my webshell to the server in order to access it? I’m confused by the syntax of the exploit.

Read the documentation which you can access in dashboard, there is valuable info where you can possibly upload/writte something what need’s to be windows oriented and maybe revisit the sql section in the course.

How are you supposed to know for the S*** enum that the domain is i***********t.htb other than from previous modules? Is the domain disclosed somehow?

It was in the question </3 nvm

I have tried several things but can`t find anywhere to upload a working shell… any hints!!!

You need to think about the concept where for example dashboard and other web sites are located on the C:\ drive, the info where are located is in in the documentation which you can access from the dashboard on the web. There you should find the location where to upload the shell.

I will try to work it out! But I have tried many urls and I only have access to the same page… maybe I`m misstyping something…

Maybe it is the page where you landing the most and you just need to find where is it stored in WIndows and that will be your location for uploading the shell, and then call it from the web.

I`ve been trying to look for that info… in the sql databases, the page source… I can’t access the ftp server… I’ve been searching on google where is that page supposed to be stored but I can’t find anything…

How do you write something in the root document? How do you find it in the mysql?!

How do I access ftp server? It only allows to try root’s password…

There are at least two ways how to obtain the flag, i did it with web shell not a reverse shell. But in general.

  1. Find the user and user’s password, smtp_enum and hydra are your friends.
  2. Login with that user to DB.
  3. In the module there is a section about writing rights in DB.
  4. Find the location where to upload your shell, because we all know we are talking about app called. xampp it will be something like C:\xampp*****\yourshell.php.
  5. Craft the shell with the need for the operating system you are facing.
  6. Upload the shell, call it from web and use commands to obtain the flag.

In case you want hear more send me pm.


I`m on my way!! Thanks!!!

Sorry man but… how do I “find the location where to upload my shell” I`m looking into the module section and they give you a command that I run but obviously gives me an error… I read the link of the “MariaDB Select into file” but I don’t understand how to use it… I tried some of the commands in the link but no luck… I also try to log in through FTP but it always asks me for root’s password…

I checked and the secure_file_priv and I can write but I don`t know how…

1 Like

Regarding the writing, google select outfile webshell and you need it for windows, in the module you got example for linux. Regarding the location, check the phpinfo on the dashboard site.

1 Like

Finally :slight_smile:

  1. first we need a user . both web ports are open enumerate for user ( keep an eye on ssl cert )
  2. now we need to brute user pass . we already know smtp brute with hydra .
  3. why mysql port is open . go and get reason .
  4. use for powershell #3 base64

if your doubts got clear all the best for your next challanges if not then study carefully every module. htb is case sensitiive .

–>don’t forget to download htb resources && cheatsheet its very imp

I got to the point where I was able to get the brute force and get the user, the password, get into FTP, figure out where to upload, do the select into outfile method for windows, but couldn’t figure it out from there. For anyone who was lost and needs to upgrade to a meterpreter session to make their life easy this was really helpful: Web Shell – OutRunSec