Source: Created by tryhackme (ben) on TryHackMe
Description:
Practice using tools such as dirbuster, hydra, nmap, nikto and metasploit
Related Hosting Links
- TryHackMe
- Hosted as a subscriber only room at the time of writing.
- Link: https://tryhackme.com/room/toolsrus
Instructions:
- As we start most boxes, let's begin with some scanning! For this, let's use nmap.
- Looks like we have a few normal services open including SSH and HTTP on their normal ports (22 and 80 respectively) but there's also something weird running on port 1234. Let's go ahead and investigate the http website using firefox.
- Well that's no good! At least some of the other parts are still functional, let's go ahead and find those using dirb!
- Let's go ahead and check out both of those pages
- And /protected/?
- Well, that's definitely protected, just not very well! Let's try using hydra to brute force that password. I'll attempt this using the user that was mentioned on the guidelines page, bob.
- There's our password! Let's log in and see what we're working with
- Well, this is probably what's running on port 1234. Let's go ahead and run nikto against this port so we can find our new login page.
- There's a manager page, let's try logging into that
- Here's those files found by nikto as well!
- Let's go ahead and run an additional credentialed scan on this system to see if we can locate any additional components running on this system
- It's worth nothing this scan can take a while to run, take stock of my total scan time on my results
- After looking around in this application, reviewing our service versions from our nmap scan, and doing a little research online we can find that this version of Apache Tomcat is pretty oudated and has a lovely vulnerability we can exploit to get a shell
- Link to exploit notes: https://charlesreid1.com/wiki/Metasploitable/Apache/Tomcat_and_Coyote
- We'll go ahead and start up metasploit and use the following exploit package. For a few more details on this exploit, check out the aforementioned link above.
- Set the options for this exploit as follows, make sure to fill in the password we found earlier for bob:
- And run!
- There's our flag! Don't run outdated servers as root!
Flags:
- Root directory on the toolsrus server.