Attacking common services - easy

I’m really stuck on this exercise, I got the username “fiona” but the password list provided in resources doesn’t work. I have tried to encode it in base64, since when I do auth login to the smtp service it returns the encoded response. I have also encoded the username fiona, and finally I have also tried the list of passwords in base64 without the ==, but it does not work.

I have tried the list of passwords in plain text with the username fiona for all the services and none of them work, can someone help me ? Thank you.

I’ve discovered in several modules the provided password list doesn’t have the answer (neither does mutation). I recommend trying other password lists commonly talked about and used. Also located on the pwnbox. If you need further hints feel free to DM me

Use the eternal wordlist : rockyou.txt

Box times out before hydra can get through rockyou! I feel like I am missing something with this. I have tried all kinds of lists …rockyou would be the logical choice but takes too long…

While bruteforcing, give the username as: fiona@inlanefreight.htb

1 Like

thank you!

After a week off, I’m stuck in the easy lab on attacking common services. I have fiona’s username and password, I have discovered a vulnerability that allows uploading files, but I can’t find a way to exploit it. I am able to upload a file with the command
"curl -k -X POST -H “Host: inlanefreight.htb” --basic -u fiona:987654321 --data-binary ‘/home/htb-ac578854/shell(2) .php’ --path-as-is https://inlanefreight.htb/../xampp/htdocs/sh3ll.php

but after using the command “curl -k https://inlanefreight.htb/xampp/htdocs/sh3ll.php to try to execute the shell on the server and receive it in the metasploit handler, it returns a 401 access error not authorized. Can you give me any suggestion? Thank you.

This might help:

curl -k -X PUT -H “Host:” --basic -u fiona:987654321 -F ‘fileX=@/home/htb-ac643515/shell.php’ ‘…/…/…/…/…/…\xampp\htdocs\myshell.php’

web shell:

Happy Hacking

the uploading command returns this error:

curl: (26) Failed to open/read local data from file/application

Any help?

Can someone give me some advice, I have entered mysql with the credentials f*** and the pass 9***, but within it I understand that I must upload a file, or how can I do it, I need some advice I am stuck

im stuck on trying to upgrade my shell. ive uploaded it via the ftp server but can get it to execute. what am i missing?