ToolsRus
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80,1234,8009
(-oN nmap): Saving it into a files called nmap
Enumeration
Port 80
Lets visit the site
It says that the other parts of the website are still functional so lets run gobuster to find hidden directories.
We found two directories, lets first visit /guidelines
, which also happens to be the answer to the first question of this room.
Looks like we have a possible username which is bob
. This is the answer to the second question in this room.
Now lets look at the other directory /protected
. This is the answer to question 3 in this room
Its asking us for a password, we have bob as a username, so lets use hydra
to bruteforce the password.
We found the password bubbles
which is also the answer to the 4th question in this room
Now we can login
Oh, so now we have to go to the other http port which is 1234 that we saw in the nmap scan, which is also the answer to the 5th question in this room.
Lets visit the site.
Its running Apache Tomcat/7.0.88
which is the answer to question 6.
The next question is asking us to use nikto
to scan /manager/html
directory on this port
Lets do that.
Lets also visit the web application on this port and directory, we have to login using the same credentials, this is what it looks after logging in.
The Nikto scan did not give me anything important as far as I know, the answer to question 7 is "5".
The answer to the next two questions can be found in the nmap scan
Exploitation
Lets fire up Metasploit
Now lets search for tomcat
Looking through all the exploits, number 5 and 6 were the only ones that were interesting and exploits, so I tried number 6.
Lets look at the options and check what we have to provide to Metasploit to exploit the system.
We need to change the following options:
Http Username
Http Password
RHOSTS
RPORT
LHOST
The command to set a value to a parameter
After setting everything up, lets run the exploit
Now lets check who we are on the system
And we are root, which is the answer to question 10 in this room. You can also find the last answer in the /root/flag.txt
.
Last updated