Attacking Common Services - Easy

Hello guys i found the user f**** but i don’t manage to find its password… I tried rockyou wordlist, the resources pw list (mutated an non-mutated) it doesn’t find smtp nor ftp password :confused: please help

1 Like

Hi!
I’m stuck on how to obtain the first credentials.
I have done the following:

  1. Enumerate FTP with anonymous, doesn’t accept.
  2. Enumerate SMTP users with mode RCPT, and find one f****.
  3. Tried to brute force this user on SMTP and FTP using hydra and a bunch of different password lists, including the pws.list from module resources, including rockyou.txt over all time of target server is alive.
  4. The MySQL doesn’t also accept undefined user or anonymous concept for login.
  5. I’ve not explore the port 80 for the HTML content, because it gets out of the scope of this module, even more for an easy lab.

I’ve been days on this, can someone help me? Thank you.

2 Likes

Dm Me personally

who has done it with revshell? can you give some hints? I have done it with webshell

Assuming you wrote a webshell on target the same way I did… mysql You could also just read the flag file directly (as the path is super guessable) instead of writing a webshell.

1 Like

I used my webshell to launch a revshell. Used the same revshell website/method that htb academy has demo’d at least twice if you’ve done the right modules

This is a great article! thanks for posting t!

I have a web shell and the flag…and am trying to get his method for a meterpreter session to work. I am using an .exe msfvenom payload and x64 arch. I think that is right. Everything seems to be working okay. But I am not triggering the meterpreter session. Not sure what is wrong ! Cool technique at least on paper so far

or read it over mysql using LOAD_FILE

Can someone give me some advice, I have entered mysql with the credentials f*** and the pass 9***, but within it I understand that I must upload a file, or how can I do it, I need some advice I am stuck, i dont know

Check if user has the ability to upload files within mysql…check with command: show variables like “secure_file_priv”;

it should be blank.

now that we know this, think let upload a rev shell, because we know the we app is running PHP. Look back in the mysql module it will show you how to upload a file. Only thing you need to find out is where to upload this file.
Hint: check the phpinfo page, as it will show you the path: (/xampp/…?

Once you establish this basic shell, think how do I make this shell better/upgrade it

PM if you still need help.

how is it possible to read other directory’s with

curl http://10.129.203.7/shell.php?cmd=dir c:\

doesnt work.

curl http://10.129.203.7/shell.php?cmd=dir

does

It has been ages since i finished this one.
Try to gain areverse shell after you got this basic shell.