Attacking Common Services - Easy

( You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer. )

ANYONE KNOW ABOUT THAT TOPIC? I uploaded webshell on site but only working two commands dir and whoami . Have anyone any references ?

1 Like

have you tried the command more?

thanks for response . I have already find answer :slight_smile:

I managed to get the flag with a webshell that I uploaded via sql… It was limited and messy but it did the job.

1 Like

I figured MySQL was the other path.

Sent you a PM… I can most likely do the webshell, but looking for another method that is more in line with the modules in this course… a service. Thanks for any help. Stuck on this one.

1 Like

Got it, thanks @19delta4u !

1 Like

Hello! I`m stuck trying to find the password… I bruteforce but no luck… rockyou list will never complete in the time I have the pawnbox…

Can someone give me some advice, I have entered mysql with the credentials f*** and the pass 9***, but within it I understand that I must upload a file, or how can I do it, I need some advice I am stuck.

I’ve seen some people talking about methods out of scope for this module, I would suggest having a look around this module.

Try not to move to SQL injection (from the web), enumerate the system, look at what you can get to within the scope of this lab

There are also some useful links;

https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/

1 Like

Any suggestions or hint without the sql injection method? I’m in mysql server with the creds I found and digging around the databases. thanks

edit: I’m trying now to work with command injection from browser but somehow I don’t know how further can I process

Stuck on the cmd=____
Except for dir and whoami nothing means nothing is working ?

Any help regarding this?

Everything could be done easier. Using only tools from the learning path without shell uploads.

  1. Enumerate user
  2. Crack the password with well known dictionary
  3. Connect to DB
    4.Use command “select LOAD_FILE(‘pathtofile’)”
1 Like

I have access to the db and am executing a search for a file containing the term flag via my reverse shell like this

The command shows me an empty page when calling it via browser. When running the simple dir command within the directoy I see some folders but nothing cotaining the flag.txt.

Please help me. What am I missing?

I used to solve it by uploading a shell like demonstrated in Attacking SQL Databases and executing my shell commands via curl by just passing the parameters like this:

1 Like

Hello SjPn,

May I know what service you did brute-force to, please?
Regards,

I do not know the path to the file any hint?

i ran “where /r c: flag.txt” through php I uploaded.

2 Likes

Hello SjPn,

Thank you very much for the help.

Remember that it is not necessary to load a webshell, as it is very complicated by certain restrictions. I recommend using the MySQL query —> select LOAD_FILE(“PATH”);
You can guess the route, I hope it helps you.
PATH= admin desktop