# ToolsRus ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTUdmoTzW7fqHHOKBI%2F-MbTUjGB1PqnpNCagr7f%2Fimage.png?alt=media\&token=efbc20b9-b921-43a9-8ced-682008f88ac2) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.217.167 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTV3ZUTRvDF6rtYlHP%2F-MbTVlFCFXKgVfqXDFGZ%2Fimage.png?alt=media\&token=52b68a45-3fb2-4584-a382-44a805b9838c) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80,1234,8009 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 22,80,1234,8009 -oN nmap 10.10.217.167 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTV3ZUTRvDF6rtYlHP%2F-MbTVou75ZEN206wDFqJ%2Fimage.png?alt=media\&token=b4c4aaf5-3f8b-41c8-a4ec-5f764524aee4) ## Enumeration ### Port 80 Lets visit the site ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTVrfaoN40252ZgXhv%2F-MbTW5SkXIHQ-pYOvfff%2Fimage.png?alt=media\&token=f43263a3-1454-48c4-bdfd-2f8a9dfe2941) It says that the other parts of the website are still functional so lets run gobuster to find hidden directories. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.217.167 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTVrfaoN40252ZgXhv%2F-MbTWmligTEMv0G-PMah%2Fimage.png?alt=media\&token=3d6ae060-8589-4285-8e3a-509e3973091b) We found two directories, lets first visit `/guidelines`, which also happens to be the answer to the first question of this room. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTVrfaoN40252ZgXhv%2F-MbTWvK522O26WeM622k%2Fimage.png?alt=media\&token=ddbc4057-72c9-4859-a42a-1445a69a5efc) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTVrfaoN40252ZgXhv%2F-MbTWzaJnLXEUwmzm3tH%2Fimage.png?alt=media\&token=a0570070-a95d-49dc-9124-d1ec14792dcc) Looks like we have a possible username which is `bob`. This is the answer to the second question in this room. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTVrfaoN40252ZgXhv%2F-MbTXXoSfPdaNnXVP7_A%2Fimage.png?alt=media\&token=2886c398-b2cf-4eec-a3cd-0bc3fb814366) Now lets look at the other directory `/protected`. This is the answer to question 3 in this room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTYqGN21ODRG-efeYY%2F-MbTZTWWR_IeofyGLgf0%2Fimage.png?alt=media\&token=957777c1-d109-40d1-a180-3b803691dfa7) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTVrfaoN40252ZgXhv%2F-MbTYTkglVcYia2eRUwc%2Fimage.png?alt=media\&token=ee9229b6-2e63-466f-8486-bf3f79ccb0ab) Its asking us for a password, we have bob as a username, so lets use `hydra` to bruteforce the password. ``` hydra -l bob -P /usr/share/wordlists/rockyou.txt 10.10.217.167 http-get /protected/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTYqGN21ODRG-efeYY%2F-MbTZuCcK1n6sGZKc1pF%2Fimage.png?alt=media\&token=b0c11e55-1edc-4f0e-858f-eed27d2a1406) We found the password `bubbles` which is also the answer to the 4th question in this room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTYqGN21ODRG-efeYY%2F-MbT_3YnHRwKzsdf78vV%2Fimage.png?alt=media\&token=12baf215-1b53-4805-9631-6f87af3d72bc) Now we can login ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTYqGN21ODRG-efeYY%2F-MbT_OEbaOrTckqzaO3p%2Fimage.png?alt=media\&token=c251fad7-6adb-4d3b-bdb2-5c17825b1a7f) Oh, so now we have to go to the other http port which is 1234 that we saw in the nmap scan, which is also the answer to the 5th question in this room. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTYqGN21ODRG-efeYY%2F-MbT_gJ1UjMHb3hKrwaZ%2Fimage.png?alt=media\&token=d9e1972c-45ee-473d-8831-5858226c7702) Lets visit the site. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTYqGN21ODRG-efeYY%2F-MbT_nKiExqHU3GUCxPS%2Fimage.png?alt=media\&token=f110283f-bfbc-4e31-8f2f-707b000c8d4d) Its running `Apache Tomcat/7.0.88` which is the answer to question 6. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTYqGN21ODRG-efeYY%2F-MbT_ysA3ZgOfKRnZCig%2Fimage.png?alt=media\&token=cee21bc7-d3e8-4b3a-a144-9e7b734d09b5) The next question is asking us to use `nikto` to scan `/manager/html` directory on this port ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTa-Ms2CZKW8HRcM5T%2F-MbTaQBCbgbEFT7xnGvo%2Fimage.png?alt=media\&token=54969b16-f264-4b43-afa7-5d8612c26d36) Lets do that. ``` nikto -h 10.10.217.167:1234/manager/html -id bob:bubbles ``` Lets also visit the web application on this port and directory, we have to login using the same credentials, this is what it looks after logging in. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTa-Ms2CZKW8HRcM5T%2F-MbTb-ZMj49zbhHG7kld%2Fimage.png?alt=media\&token=80082173-2cf6-410b-b55f-a09dfb4b1c5a) The Nikto scan did not give me anything important as far as I know, the answer to question 7 is "5". ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTbBn5ayhLtfLchkKQ%2F-MbTifh2I7kUaIHC_oXS%2Fimage.png?alt=media\&token=e2429ec2-6f79-4cb0-9b7f-2e396539d0df) The answer to the next two questions can be found in the nmap scan ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTbBn5ayhLtfLchkKQ%2F-MbTjN64RwW5Yxb3_xU7%2Fimage.png?alt=media\&token=f6cf3ae0-6a59-427b-ac00-f9817c695f29) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTbBn5ayhLtfLchkKQ%2F-MbTjTZutcRgCsdNmria%2Fimage.png?alt=media\&token=e4eeb6b9-68d7-46f1-bd87-f9d43a946d41) ## Exploitation Lets fire up Metasploit ``` msfconsole ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTjWY0KkDJ_rIpWXvc%2F-MbUCBdziAqLImEkHtQP%2Fimage.png?alt=media\&token=377c0b2d-843d-495b-aa90-614823138598) Now lets search for tomcat ``` search tomcat ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTjWY0KkDJ_rIpWXvc%2F-MbUCPboM5-2nJecLmVk%2Fimage.png?alt=media\&token=916dee16-c3b3-47c3-bf54-2dd77febc667) Looking through all the exploits, number 5 and 6 were the only ones that were interesting and exploits, so I tried number 6. ``` use exploit/multi/http/tomcat_mgr_upload ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTjWY0KkDJ_rIpWXvc%2F-MbUClzmo0JzXVQsN4V-%2Fimage.png?alt=media\&token=f411b0c3-6fe8-40d1-b503-dae0f7a40bd9) Lets look at the options and check what we have to provide to Metasploit to exploit the system. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTjWY0KkDJ_rIpWXvc%2F-MbUCx2bWptQ30UkCwL1%2Fimage.png?alt=media\&token=3e9e7e1f-99c9-4777-830a-6fb83333124f) We need to change the following options: * Http Username * Http Password * RHOSTS * RPORT * LHOST The command to set a value to a parameter ``` set ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTjWY0KkDJ_rIpWXvc%2F-MbUDuMDe0eKZ2YTqDze%2Fimage.png?alt=media\&token=bc029326-be80-4cf2-932e-3d1cdc752c11) After setting everything up, lets run the exploit ``` run ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTjWY0KkDJ_rIpWXvc%2F-MbUE4gGj_EJvJmp9yG6%2Fimage.png?alt=media\&token=92c590ee-841a-4e17-8385-d162dd3c8ef5) Now lets check who we are on the system ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTjWY0KkDJ_rIpWXvc%2F-MbUEFB4aSYBnWaNPy1u%2Fimage.png?alt=media\&token=7605ef93-4753-419a-888b-3b7530679e6b) And we are root, which is the answer to question 10 in this room. You can also find the last answer in the `/root/flag.txt`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbTjWY0KkDJ_rIpWXvc%2F-MbUEQ_KU2DC22rpAz7a%2Fimage.png?alt=media\&token=78a55cdb-49a6-4c78-a5e1-341918bd6065) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/toolsrus.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.