By: Nicholas Werner
Starting off by running GoBuster to find a /guidelines directory.
Going to this directory provides me with a name of a possible user and perhaps a hint.
The /protected directory has basic authentication.
We use hydra to find bob’s password which is bubbles.
Now we login but it looks like this page has moved to a different port.
When we run our nmap scan we can see that port 1234 also is a web server. We can see that it is running Apache Tomcat version 7.0.88
When we run a nikto scan on /manager/html on port 1234 we can see that there are 5 documentation files.
Running the nikto scan again on port 80 shows us that Apache is running on version 2.4.18
From our previous scans we know that Apache Coyote is running on version 1.1
Now we want to google an exploit for Apache Tomcat version 1.1
We choose Rapid7 because that’s the easiest if you are using Metasploit.
After some troubleshooting I found that this exploit works better than the one shown above so I decided to use it instead.
We got a meterpreter shell!
With getuid we can see that we are root.
Now we navigate the system and find the flag!