HollyWood PwntillDawn
IP Address = 10.150.150.219
Difficulty = Easy
Nmap Scan:
From the scan we can see its a windows machine with lot of ports. So lets get enumerating
I’ll start with port 21 which is ftp. But it doesn’t allow anonymous authentication
So lets move on. Going on to smb shows we can’t list shares anonymously either
But what got me thinking is those web servers running on various ports
I started to check out each web server starting from port 2224. But It got nothing interesting
I noticed some of the web servers, that nmap finger printed its service name
I started with the apache tomcat instance hosted on port 8080
I did also try brute forcing the manager login using a metasploit module but I wasn’t successful. I also tried ghostcat exploit which will read the WEB-inf config file for the apache tomcat but it didn’t leak its credential
So I moved on to another web server
On checking the web server on port 8161 nmap fingerprinted it that the service name is Jetty 8.1.16.v20140903. On navigating to the web server we get a default page
But noticing the http title and the default page it shows ActiveMQ
I searched for it in metasploit and it seems there are possible exploits for it
And I’ll try exploit 1
Running it we get shell
And our current user has admin rights. So we can do things like hash dumping and other cool stuffs
Flags:
Flag9: b017cd11a8def6b4bae78b0a96a698deda09f033
Flag30: eb1b768800000e1d2fe1c3100005d2dc8dd10000
Flag33: 1480d39af2cd8b0f0bb8c45d331caf7330faa910
Write-ups have been authorized for this machine by the PwnTillDawn Crew! Here’s the link to access it Wizlynx and PwntillDawn
And we’re done