Attacking Common Services - Easy

ttornike1991 · June 22, 2022, 7:53am

( You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer. )

ANYONE KNOW ABOUT THAT TOPIC? I uploaded webshell on site but only working two commands dir and whoami . Have anyone any references ?

PayloadBunny · June 22, 2022, 3:30pm

have you tried the command more?

ttornike1991 · June 22, 2022, 7:05pm

thanks for response . I have already find answer

subrealz · November 1, 2022, 1:56pm

This one was quite a mess. You see so many opportunities that your head spinning in every directions. After some time, i decided for myself to use the CoreFTP HTTP server directory traversal vulnerability. Then I started trying to upload wwwolf-php-webshell with curl (overkill):

curl -k -X PUT -H "Host: <IP>" --basic -u <user>:<password> -F 'fileX=@/path/to/wwwolf-php-webshell/webshell.php' 'https://IP/../../../../../..\xampp\htdocs\myshell.php'

After that its a breeze. just dir "\flag.txt" on drive root with webshell UI

enjoy

truthreaper · November 25, 2022, 3:04am

Would you be able to message me with more details of how you did this? how did you get a webshell to the \xampp\htdocs?

19delta4u · November 26, 2022, 1:33am

I got the flag with some help from a friend. There are at least two ways to get the flag. One way, the way that I had help with from a friend, does not require a webshell or a php-reverse-shell.

Message me if you need help.

The post that @subrealz made is pretty much on the right track, but I could not figure it out from that post. Honestly, I probably would have never figured out the solution without some help.

John

truthreaper · November 26, 2022, 1:53am

I managed to get the flag with a webshell that I uploaded via sql… It was limited and messy but it did the job.

19delta4u · November 26, 2022, 2:07am

I figured MySQL was the other path.

flawd · January 12, 2023, 12:07am

Sent you a PM… I can most likely do the webshell, but looking for another method that is more in line with the modules in this course… a service. Thanks for any help. Stuck on this one.

flawd · January 12, 2023, 3:34am

Got it, thanks @19delta4u !

cmarrod · January 25, 2023, 10:49am

Hello! I`m stuck trying to find the password… I bruteforce but no luck… rockyou list will never complete in the time I have the pawnbox…

cmarrod · January 25, 2023, 5:53pm

I`m going through this manual but I can’t get it working… I must be typing something wrong…

t4rd · February 20, 2023, 8:10am

Hi!
I’m stuck on how to obtain the first credentials.
I have done the following:

Enumerate FTP with anonymous, doesn’t accept.
Enumerate SMTP users with mode RCPT, and find one f****.
Tried to brute force this user on SMTP and FTP using hydra and a bunch of different password lists, including the pws.list from module resources, including rockyou.txt over all time of target server is alive.
The MySQL doesn’t also accept undefined user or anonymous concept for login.
I’ve not explore the port 80 for the HTML content, because it gets out of the scope of this module, even more for an easy lab.

I’ve been days on this, can someone help me? Thank you.

PayloadBunny · February 20, 2023, 9:30am

Try FTP. Brutforce the found user with rockyou. This should be very fast.

cryproot · March 18, 2023, 4:27am

Can someone give me some advice, I have entered mysql with the credentials f*** and the pass 9***, but within it I understand that I must upload a file, or how can I do it, I need some advice I am stuck.

cyb3rj3d1 · March 25, 2023, 9:32am

Hi. I am found the credentials and was able to insert a PHP shell using MySQL: SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE 'C:\xampp\htdocs\webshell.php';
I am trying to access the file in the browser using the parameter https://10.129.196.82/webshell.php?c=dir, but nothing happens. Could someone help me?

cyb3rj3d1 · March 27, 2023, 4:39pm

Never mind, I figured it out.