Practise using tools such as dirbuster, hydra, nmap, nikto and metasploit
Your challenge is to use the tools listed below to enumerate a server, gathering information along the way that will eventually lead to you taking over the machine.
This task requires you to use the following tools:
Dirbuster
Hydra
Nmap
Nikto
Metasploit
K, so let's just start with an nmap 'cause it's good practice. Looks like we have an SSH port, two http ports and a jserv port.
Let's open that website and see what we have.
Interesting... okay well there's nothing in the source code here so let's pop open a gobuster.
K, looks like we have a few folders, let's continue to enumerate those with gobuster by adding them to the URL portion of the gobuster command
gobuster dir -u http://10.10.231.99/guidelines -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
What directory can you find, that begins with a "g"? guidelines
From there, that looks like it - protected won't scan for us. Let's visit guidelines. It's a static page with this written on it. There's nothing in the source code for this page.
Hey bob, did you update that TomCat server?
Whose name can you find from this directory? bob
If we visit the protected page, we get a dialog box to enter credentials
We can assume bob is a good username to use but we don't know the password.
What directory has basic authentication? protected
If you just type hydra in the command window you'll see all the options we have - there's a TON of stuff you can crack with this app. The command we're going to use here is
hydra -l bob -P /usr/share/wordlists/rockyou.txt 10.10.231.99 http-head /protected
Looks like we have a solid password crack.
What is bob's password to the protected part of the website? bubbles
Let's login! Looks like it takes us here:
Although there's nothing there, it's always a good idea to check the source code too.
What other port that serves a webs service is open on the machine? 1234 (we know this from nmap we did earlier)
Visiting the other http port we found in the nmap (1234) we visit that site to get the next question
Going to the service running on that port, what is the name and version of the software? Apache Tomcat/7.0.88
While we're here, let's do some gobuster research on this new area. Looks like we have a few folders
K, so now that we got some folders known let's pop niko and see if we can figure out how to answer that question (note the IP changed here 'cause I got interupted).
nikto -id bob:bubbles -h http://10.10.90.206:1234/manager/html
This scanner took a LONG time to complete but the scan did find 5 files
How many documentation files did Nikto identify? 5
Running Nikto on port 80 gives us the next question
What is the server version (run the scan against port 80)? Apache/2.4.18
What version of Apache-Coyote is this service using? 1.1 (from our first scan on port 1234)
Ok for the next question we had to use meterpreter which I'm not strong with. We did a search for all Tomcat vulns by simpling typing search tomcat
The one I used was actually number 17 (I had to try a few to find one that worked). I set the values from all the information we found
Ran the command exploit to kick it off
Now I thought this was a shell, it's not. You have to actually type the word 'shell' to get a shell but then you get a shell and can type 'whoami'
What user did you get a shell as?root
From there we move into the root folder and capture the flag
What text is in the file /root/flag.txt ff1fc4a81affcc7688cf89ae7dc6e0e1
Comments