The Live Engagement

Greetings all! Today, we'll tackle the "Shells & Payloads" module challenge. We'll be targeting three hosts in this challenge. Let's begin our exploration.

Now Let’s Begin 🚀

Scenario:

CAT5's team has secured a foothold into Inlanefrieght's network for us. Our responsibility is to examine the results from the recon that was run, validate any info we deem necessary, research what can be seen, and choose which exploit, payloads, and shells will be used to control the targets

Objectives:

• Demonstrate your knowledge of exploiting and receiving an interactive shell from a Windows host or server.

• Demonstrate your knowledge of exploiting and receiving an interactive shell from a Linux host or server.

• Demonstrate your knowledge of exploiting and receiving an interactive shell from a Web application.

• Demonstrate your ability to identify the shell environment you have access to as a user on the victim host.

Credentials

The credentials we need for a foothold: htb-student / HTB_@cademy_stdnt!

Targets

Host-01: 172.16.1.11

Host-02: blog.inlanefreight.local

Host-03: 172.16.1.13

Initially, I established a connection utilizing xfreerdp with the provided credentials.

After establishing initial access with xfreerdp, I employed nmap to conduct a port scan on Host-01, revealing several open ports.

1) What is the hostname of Host-1? shells-winsvr

I visited http://172.16.1.11/ but found no useful information, so I took a look at /etc/hosts and I found status.inlanefreight.local

Based on the nmap results, we identified the system as a Windows Server 2019. Subsequently, I utilized whatweb to determine the specific server software in order to generate a payload using msfvenom.

Based on the findings, the server currently in operation utilizes ASP.NET. Consequently, we shall proceed to generate our payload.

Let's aim to establish a shell. I utilized the Laudanum webshell available at the following link.

Web-Shells/laudanum at master · jbarcia/Web-ShellsGitHub

I included my IP address in the list of allowd IPs within the webshell file. Let's proceed with uploading the file to establish shell access.

We have successfully obtained a shell and can now access the folder located at C:\Shares.

Next up is the second host: blog.inlanefreight.local.

Two ports, 22 and 80, are open. Upon accessing port 80, a post directing to an exploit named 50064. However, since this attack requires authentication, I conducted directory enumeration to gather additional information.

After conducting directory enumeration, I discovered a directory labeled 'data.' Upon accessing it, I encountered a file named 'config.ini' which contain the necessary username and password for executing this attack.

I initially transferred the exploit to /usr/share/metasploit-framework/modules/exploits/ and subsequently successfully exploited the second target. You'll discover the flag located in the customscripts folder.

What language is the shell written in that gets uploaded when using the 50064.rb exploit? php

Let's now investigate the third target: 172.16.1.13

After conducting reconnaissance, I discovered that the server operates on Windows Server 2016 and utilizes the SMB protocol. Let's proceed with attempting to exploit it, as it may be vulnerable to EternalBlue.

So the host is likely vulnerable to MS17-010, so let's exploit it.

You now have access to the flag. Thank you for taking the time to read this writeup. Wishing you a wonderful day ahead.