SELLING Synacktiv Fortress - Script to gain initial foothold (Rev Shell)
by slrrrR - September 22, 2021 at 03:45 AM
#1
If you're stuck getting an initial foothold, this script skips a number of the discovery and attack steps and allows for initial foothold.

Coded to work via BurpSuite / Proxy so edit this if its not wanted.

1. Set up Listener (rev shell uses netcat)
2. Start Burp, set Intercept Off
3. Run ./script.sh <your Tun0 IP> <you Listener port>.... e.g. ./script.sh 10.14.13.1 5555

Note: Bash script but does use Python for parts

Bash Script to Foothold Hidden Content
You must register or login to view this content.
#2
Cleaned the script and made all repeated steps automatic
#3
Question:
## Resigter as Elon Musk with a space in username (SQl Truncation)
-d "username=elonmusk+&password=a"
## Login with overwritten Creds
-d "username=elonmusk+&password=a"
identical creds for register and login?
#4
(September 24, 2021 at 01:48 PM)orangutang Wrote: Question:
identical creds for register and login?



Fixed. copy & paste fail, thanks for the post
#5
Hi again, I get this response (stripped of tags) :
Error Invalid client request received The request does not contain a valid URL
What problem may be? Need rebooting of victim? Thanks advance.
#6
(September 26, 2021 at 07:53 AM)orangutang Wrote: Hi again, I get this response (stripped of tags) :
Error Invalid client request received The request does not contain a valid URL
What problem may be? Need rebooting of victim? Thanks advance.

script still works for me, you get this sorted?
#7
Yes, i tried many times - same result
#8
(September 27, 2021 at 10:34 AM)orangutang Wrote: Yes, i tried many times - same result

Need more info to see what you're doing.

Only requirements to run the script:

1. Burpsuite Running on 127.0.0.1:8080 (or remove the proxy entries from each CURL section of the script)
2. Hackfaill.htb correctly set in your /etc/hosts (10.13.37.13 synacktiv.htb hackfail.htb dev.hackfail.htb)
3. Set up Listener to catch the reverse shell
4. Run the script with your tun0 IP and select listener port (e.g. ./getshell.sh 10.x.x.x 9001)
#9
This is exactly what I do. Result: (opened listener
nc -nlvp 7777
[+] Visting http://hackfail.htb to get initial Cookie
[+] Registering fake Elon Musk
[+] Logging in as Real Elon Musk
[!] Popping shell back to 10.13.14.87 7777
[-] You can hit Ctrl +C to kill this without losing session
<html code>
Error Invalid client request received The request does not contain a valid URL

I do not understand what problem...
#10
(September 28, 2021 at 09:12 AM)orangutang Wrote: I do not understand what problem...


You're running it through BurpSuite right? Burp running as default and listening on 127.0.0.1 port 8080?

Try running each curl command inside the script manually and see where it fails. All the pieces are there to get a rev shell.
#11
Burpsuite on 127.0.0.1 port 8080, etc.,etc. Thanks i'll try
#12
(September 29, 2021 at 01:51 AM)orangutang Wrote: Burpsuite on 127.0.0.1 port 8080, etc.,etc. Thanks i'll try


still working every time for me, cant recreate the fault you are seeing sorry.

script has been adjusted a few times to make it easier to use, but still requires proxy - its handy to troubleshoot through that is why.

it can always be edited out of the script if you no longer need it.

If you're flying through SynAckTiv - hit up the discussionas its pretty dead and I know Im stuck in places too

Possibly Related Threads…
Thread Author Replies Views Last Post
SELLING HTB Odyssey Endgame flags and Faraday Fortress flags mobile1 13 2,123 Yesterday at 01:11 PM
Last Post: mobile1
TUTORIAL HTB Fortress Jet - help needed with leak exploit JaneHopkirk 1 435 November 26, 2021 at 11:10 AM
Last Post: pheonix2021
TUTORIAL HTB Fortress - Faraday (Discussion) slrrrR 25 6,618 November 25, 2021 at 02:22 AM
Last Post: gambit1337

 Users browsing this thread: 2 Guest(s)