Hello Guys!
In this Post I am going to share my ToolsRus CTF experience with you.
Your challenge is to use the tools listed below to enumerate a server, gathering information along
the way that will eventually lead to you taking over the machine.
This CTF Requires the following Tools:
- Dirbuster
- Hydra
- Nmap
- Nikto
- Metasploit
URL: ToolsRus CTF
Difficulty: Easy
Author: TryHackMe
First of all we will Enumerate the Machine.
I started with a Nmap Scan followed by a Gobuster Scan on Port 80 with the famous common.txt Wordlits.
Once I navigated into the /guidelines Directory, I found a potential Username Bob.
The Port 1234 is open. It is running Apache Tomcat/7.0.88.
Here are the Results of Gobsuter on Port 1234:
Next thing I did was a Bruteforce attack with rockyou on the /protected Direction, since it requires a Password.
In order to crack the Passoword I used Hydra with the following Command:
$ hydra -l bob -P {YOUR WORDLIST} -f {MACHINE_IP} http-get /protected/
As we got into the Site, we got a Picture saying “This Protected Page has now moved to a different Port”.
I ran Nikto against Port 1234 afterwards to find our new loginpage.
I tried to login to the Tomcat Manager on Port 1234 with the same Credentials. It worked.
As a Manager we have the ability to Upload a WAR File. You could created a WAR File with a Linux Payload and upload it.
As it turns out, this Tomcat Server is very outdated and vulnerable. I found a Metasploit Module to ecploit the Manager on Port 1234.
The Module is called exploit/multi/http/tomcat_mgr_upload. It spwans a Meterpreter Session.
We get the Shell as the Root User. The next thing I did was getting the Root Flag, which is stored in /root/flag.txt.
