Professional Documents
Culture Documents
The first ip is my machine, the rest are other active hosts in the network. Let's do an nmap scan on each of them.
The first one has an ssh port, and two ports running web pages.
The second one has just one port open hosting a website.
1/10
The third one only has an ssh port open.
The 4th one has file sharing ports and an sql server open.
Let's start with the first one. Upon visiting the webpage, we see a default apache page.
2/10
When we go to the admin panel of apache under /manager, we are asked for credentials. I tried the default creds
tomcat:s3cret and i was able to log in.
3/10
I created and uploaded the payload.
I got a session, and found the flag in the desktop of user adminels.
4/10
Now moving on to the second machine, we are greeted with a 404 page.
5/10
I did some directory bruteforcing using dirbuster and found a project directory.
It asked for credentials when trying to access it, but it also gave us a hint “admin”. So i tried username and
password as admin and I got in.
Now, since we have credentials we can use dirb to brute force with credentials.
6/10
One of the files had the location of the flag and also some sql credentials.
When we did nmap at the start, our last machine on 172.16.64.199 had a port running an sql server. So, I checked
and found it was ms-sql. I searched for an exploit using msfconsole for mssql.
7/10
Got a payload. I set all the relevant options, including the credentials we found on the previous machine.
8/10
There was also a file which looked like an ssh public key, so I downloded it onto my machine.
This could be what we need to login to the final machine. Since we don't have a username, I tried viewing the key
file.
I found that this is not a key file after all, but it has ssh credentials. So i tried logging in with them.
9/10
10/10