Attacking Common Services - Easy

yonde · February 12, 2023, 1:07pm

Hello guys i found the user f**** but i don’t manage to find its password… I tried rockyou wordlist, the resources pw list (mutated an non-mutated) it doesn’t find smtp nor ftp password please help

t4rd · February 20, 2023, 8:04am

Hi!
I’m stuck on how to obtain the first credentials.
I have done the following:

Enumerate FTP with anonymous, doesn’t accept.
Enumerate SMTP users with mode RCPT, and find one f****.
Tried to brute force this user on SMTP and FTP using hydra and a bunch of different password lists, including the pws.list from module resources, including rockyou.txt over all time of target server is alive.
The MySQL doesn’t also accept undefined user or anonymous concept for login.
I’ve not explore the port 80 for the HTML content, because it gets out of the scope of this module, even more for an easy lab.

I’ve been days on this, can someone help me? Thank you.

Neverakswhy · February 20, 2023, 4:58pm

Dm Me personally

ssh25621 · February 21, 2023, 2:31pm

who has done it with revshell? can you give some hints? I have done it with webshell

soop · February 23, 2023, 1:03am

Assuming you wrote a webshell on target the same way I did… mysql You could also just read the flag file directly (as the path is super guessable) instead of writing a webshell.

soop · February 23, 2023, 1:05am

I used my webshell to launch a revshell. Used the same revshell website/method that htb academy has demo’d at least twice if you’ve done the right modules

splinter · March 13, 2023, 11:57pm

This is a great article! thanks for posting t!

I have a web shell and the flag…and am trying to get his method for a meterpreter session to work. I am using an .exe msfvenom payload and x64 arch. I think that is right. Everything seems to be working okay. But I am not triggering the meterpreter session. Not sure what is wrong ! Cool technique at least on paper so far

emdeh · March 17, 2023, 9:28am

or read it over mysql using LOAD_FILE

cryproot · March 18, 2023, 4:27am

Can someone give me some advice, I have entered mysql with the credentials f*** and the pass 9***, but within it I understand that I must upload a file, or how can I do it, I need some advice I am stuck, i dont know

frogman267 · March 18, 2023, 10:02pm

Check if user has the ability to upload files within mysql…check with command: show variables like “secure_file_priv”;

it should be blank.

now that we know this, think let upload a rev shell, because we know the we app is running PHP. Look back in the mysql module it will show you how to upload a file. Only thing you need to find out is where to upload this file.
Hint: check the phpinfo page, as it will show you the path: (/xampp/…?

Once you establish this basic shell, think how do I make this shell better/upgrade it

PM if you still need help.

jar3d · March 19, 2023, 6:09pm

how is it possible to read other directory’s with

curl http://10.129.203.7/shell.php?cmd=dir c:\

doesnt work.

curl http://10.129.203.7/shell.php?cmd=dir

does

mohadib · March 24, 2023, 6:31pm

It has been ages since i finished this one.
Try to gain areverse shell after you got this basic shell.