@Kratosak said:
well I tried many exploits but only one seems to be working and it needs exact location of the file which is unknown to me. Is there a way how to scan target for a specific folder?
Have you scrolled up a couple of posts?
Doesnt it say in the question?
Type your comment> @TazWake said:
@Kratosak said:
well I tried many exploits but only one seems to be working and it needs exact location of the file which is unknown to me. Is there a way how to scan target for a specific folder?
Have you scrolled up a couple of posts?
Doesnt it say in the question?
I know that I am looking for /flag.txt but I do not know exact where it is located. I am just beginner so maybe I am doing something wrong but after two days it does not seems to be so easy task.
I think I am missing something but not sure what exactly.
@Kratosak said:
Type your comment> @TazWake said:
@Kratosak said:
well I tried many exploits but only one seems to be working and it needs exact location of the file which is unknown to me. Is there a way how to scan target for a specific folder?
Have you scrolled up a couple of posts?
Doesnt it say in the question?
I know that I am looking for /flag.txt but I do not know exact where it is located. I am just beginner so maybe I am doing something wrong but after two days it does not seems to be so easy task.
I think I am missing something but not sure what exactly.
Have you looked for it at /flag.txt ?
What locations have you checked?
Just to be clear, I am not trying to be an a$$hole here, but /flag.txt is a location. If it isn’t there, then the question is misleading and it would annoy me because its teaching people bad things about Linux.
I dont cant see how else to describe a location other than path and filename.
If the question was “look in /home/user/flag.txt” then I’d look in /home/user/flag.txt, if the question says “/flag.txt” then I’d look in /flag.txt.
If you cant enumerate the files system through the exploit, then it seems unfair to make you find a random path.
Type your comment> @TazWake said:
Just to be clear, I am not trying to be an a$$hole here, but
/flag.txtis a location. If it isn’t there, then the question is misleading and it would annoy me because its teaching people bad things about Linux.I dont cant see how else to describe a location other than path and filename.
If the question was “look in /home/user/flag.txt” then I’d look in
/home/user/flag.txt, if the question says “/flag.txt” then I’d look in/flag.txt.If you cant enumerate the files system through the exploit, then it seems unfair to make you find a random path.
I completely understand your attitude no worry :). I was thinking, maybe reason why I cannot solve this is that I use wrong exploit. From my point of view there should be way to find out which exploit is suitable for this hack. Trying random exploits from metasploit or public db is not very effective way from my point of view. I need to master technique of choosing right exploit to run but as a beginner and from current academy module I cannot do it right now.
Have done the 2 ways you can get the flag in this module, it seems that it wants you to look for an exploit in the plugins, in which case searchploit and metasploit, i find it easier to do it on metasploit, even i knew how to do get the flag.txt in searchsploit I’m having hard time understanding it. location of the flag is in root
Type your comment> @NewHax said:
Finally figured this one out. If anyone needs help you can message me and ill try and assist. The gist is run the exploit with the correct settings and Metasploit will spit out a file you can cat to view.
Can You Give Your Discord username and tag
Hi all. I have gotten quite a few messages about this so I will try and leave some hints here to save my poor little inbox lol.
Good luck!
finally I did it with metasploit way.
Hey everyone,
Bit confused on how to find the specific directory that the flag.txt file is in, in order to use the exploit. Either that, or I’m not fully understanding how the exploit works. Lets assume the first one for now 
To give a bit of a clue on where I am, I’m able to crawl directories using gobuster, but have been unsuccessful in finding any clues to where the flag is. I’ve also looked at the source code of the pages that I can find using gobuster, but have been unable to find clues there either.
Assuming the flag is in the root directory of the webserver, would that not just look like http://ip:port/exploit?
Sorry for the verboseness, want to get to the bottom of this asap, have been stuck for a day or so now.
@capriciousewok said:
Hey everyone,
Bit confused on how to find the specific directory that the flag.txt file is in, in order to use the exploit. Either that, or I’m not fully understanding how the exploit works. Lets assume the first one for nowTo give a bit of a clue on where I am, I’m able to crawl directories using gobuster, but have been unsuccessful in finding any clues to where the flag is. I’ve also looked at the source code of the pages that I can find using gobuster, but have been unable to find clues there either.
Assuming the flag is in the root directory of the webserver, would that not just look like http://ip:port/exploit?
Sorry for the verboseness, want to get to the bottom of this asap, have been stuck for a day or so now.
Verbose questions are always the best - they help people answer.
So - with the caveat that I haven’t done this lab - I think you need to back and check the question again:
Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file.
First you need to enumerate the server and identify services. Gobuster falls into this category but I’d suspect it needs more.
Once you understand the services running you can look for exploits, then exploit the service.
Once you’ve exploited the service you will probably have a shell on the machine - or the ability to read files.
Then you can look for the flag /flag.txt which probably sits in the root of the server not the webserver.
Thanks for the response Taz. I’ve taken your suggestion and attempted to find alternate exploits that would grant access to the server, and not the webserver, which was a distinction I didn’t know existed. I haven’t had any success with that route yet, but I’ll keep trying.
Before I go back to that route, let me explain my reasoning a bit. I am biased toward thinking that the flag is actually on the webserver, because the hint provided for this lab specifically says to look for “plugin exploits”.
~Small spoilers ahead~
The plugin that the web server hosts is a wordpress plugin, and is the only plugin that i’ve been able to find using the methods introduced in this lesson, or otherwise. Operating on the assumption that this is the plugin we’re looking to exploit (which, using searchsploit and exploit-db, leads me to believe it is), we can see that the exploit itself is to download any hosted file from the webserver. To prevent spoiling too much, I’ll DM you to see if you can help explain exactly how to operate this exploit.
@capriciousewok said:
Thanks for the response Taz. I’ve taken your suggestion and attempted to find alternate
Before I go back to that route, let me explain my reasoning a bit. I am biased toward thinking that the flag is actually on the webserver, because the hint provided for this lab specifically says to look for “plugin exploits”.
That is perfectly valid reasoning. Like I said, I haven’t looked at this lab at all so can only really go on the general knowledge and phrases people have posted here.
If the flag is at http://example.htb/flag.txt, however then you could find it without exploiting the box. I’d strongly suspect the exploitation needs to either result in a shell or arbitrary file read.
It took me a while to get into the right mindset for this, but all you need to do is follow through the steps in the module methodically and see which work, so things like directory enumeration, service scans using nmap, looking online for the services that may be exploitable, and then seeing if there are any baked in scripts on metasploit for the things you find. It took me 6 hrs to get to the bottom of this after many many dead ends. Keep going
Type your comment> @h3rcroot said:
Have done the 2 ways you can get the flag in this module, it seems that it wants you to look for an exploit in the plugins, in which case searchploit and metasploit, i find it easier to do it on metasploit, even i knew how to do get the flag.txt in searchsploit I’m having hard time understanding it. location of the flag is in root
thanks for this comment it helped me to resolve the flag
Tons of good questions on this one. it’s all trial and error.
Steps to solve:
searchsploit wordpress simple or use msfconsole and search wordpress simple
searchsploit -x php/webapps/37113.txt or if you go metasploit route, you could simple run use 1 or whatever id your specific exploit is to start reading through the exploitmsfconsole as it is much more point and shoot until you get it. try simple, if it doesn’t work, go more simple.
Please feel free to message, I will only reply if you include all steps you have taken.
gl, find me in HTB discord or KryptSec discord
Hey guys newbie question. I have been trying to solve this puzzle for 2 days now. I have an issue with the pawnbox. Everytime it counts out and i cant use it for 24 hours. I figured maybe use a VM Kali for solving the questions in the academy.
Now i am in my kali machine, running metasploit (after i found the exlploit). I set up my target RHOSTS with the one mentioned in the module, but after i hit exploit, it seems that i am connected to my machine instead of the target machine (that was not an issue when i did it from the pawnbox provided by the HTB academy).
so my issue is how to connect the academy targets with my kali machine? may sound dumb but i am a bit confused.
thanks
Type your comment> @tyrrant287 said:
Hey guys newbie question. I have been trying to solve this puzzle for 2 days now. I have an issue with the pawnbox. Everytime it counts out and i cant use it for 24 hours. I figured maybe use a VM Kali for solving the questions in the academy.
Now i am in my kali machine, running metasploit (after i found the exlploit). I set up my target RHOSTS with the one mentioned in the module, but after i hit exploit, it seems that i am connected to my machine instead of the target machine (that was not an issue when i did it from the pawnbox provided by the HTB academy).
so my issue is how to connect the academy targets with my kali machine? may sound dumb but i am a bit confused.
thanks
That was sometimes the case with me, but you need to set RHOSTS as the IP address given in the module without the port number [after : ] and later set the RPORT to the given port number [after : ] and don’t set or use the ip in metasploit, It worked for me, i am also using KALI VBOX.
Type your comment> @SPARTANone17 said:
Type your comment> @tyrrant287 said:
Hey guys newbie question. I have been trying to solve this puzzle for 2 days now. I have an issue with the pawnbox. Everytime it counts out and i cant use it for 24 hours. I figured maybe use a VM Kali for solving the questions in the academy.
Now i am in my kali machine, running metasploit (after i found the exlploit). I set up my target RHOSTS with the one mentioned in the module, but after i hit exploit, it seems that i am connected to my machine instead of the target machine (that was not an issue when i did it from the pawnbox provided by the HTB academy).
so my issue is how to connect the academy targets with my kali machine? may sound dumb but i am a bit confused.
thanksThat was sometimes the case with me, but you need to set RHOSTS as the IP address given in the module without the port number [after : ] and later set the RPORT to the given port number [after : ] and don’t set or use the ip in metasploit, It worked for me, i am also using KALI VBOX.
I managed to figure it out with the correct settings. Now moving though to the next section (privilege escalation) , i tried to ssh to the target server (again using kali vm) but there was no connection. At first i tried to do it without using HTB OpenVPN, and then after i connected to the vnp, again no answer from the server.
I didnt try to connect via the Pownbox (free users only have 1 per 24 hours), cause i wanted to check the kali vm first.
Any thoughts on this? thanks
Type your comment> @tyrrant287 said:
Type your comment> @SPARTANone17 said:
Type your comment> @tyrrant287 said:
Hey guys newbie question. I have been trying to solve this puzzle for 2 days now. I have an issue with the pawnbox. Everytime it counts out and i cant use it for 24 hours. I figured maybe use a VM Kali for solving the questions in the academy.
Now i am in my kali machine, running metasploit (after i found the exlploit). I set up my target RHOSTS with the one mentioned in the module, but after i hit exploit, it seems that i am connected to my machine instead of the target machine (that was not an issue when i did it from the pawnbox provided by the HTB academy).
so my issue is how to connect the academy targets with my kali machine? may sound dumb but i am a bit confused.
thanksThat was sometimes the case with me, but you need to set RHOSTS as the IP address given in the module without the port number [after : ] and later set the RPORT to the given port number [after : ] and don’t set or use the ip in metasploit, It worked for me, i am also using KALI VBOX.
I managed to figure it out with the correct settings. Now moving though to the next section (privilege escalation) , i tried to ssh to the target server (again using kali vm) but there was no connection. At first i tried to do it without using HTB OpenVPN, and then after i connected to the vnp, again no answer from the server.
I didnt try to connect via the Pownbox (free users only have 1 per 24 hours), cause i wanted to check the kali vm first.
Any thoughts on this? thanks
@tyrrant287 said:
Type your comment> @SPARTANone17 said:Type your comment> @tyrrant287 said:
Hey guys newbie question. I have been trying to solve this puzzle for 2 days now. I have an issue with the pawnbox. Everytime it counts out and i cant use it for 24 hours. I figured maybe use a VM Kali for solving the questions in the academy.
Now i am in my kali machine, running metasploit (after i found the exlploit). I set up my target RHOSTS with the one mentioned in the module, but after i hit exploit, it seems that i am connected to my machine instead of the target machine (that was not an issue when i did it from the pawnbox provided by the HTB academy).
so my issue is how to connect the academy targets with my kali machine? may sound dumb but i am a bit confused.
thanksThat was sometimes the case with me, but you need to set RHOSTS as the IP address given in the module without the port number [after : ] and later set the RPORT to the given port number [after : ] and don’t set or use the ip in metasploit, It worked for me, i am also using KALI VBOX.
I managed to figure it out with the correct settings. Now moving though to the next section (privilege escalation) , i tried to ssh to the target server (again using kali vm) but there was no connection. At first i tried to do it without using HTB OpenVPN, and then after i connected to the vnp, again no answer from the server.
I didnt try to connect via the Pownbox (free users only have 1 per 24 hours), cause i wanted to check the kali vm first.
Any thoughts on this? thanks