Black Box 1

First, I scanned the network and got live hosts.

The first ip is my machine, the rest are other active hosts in the network. Let's do an nmap scan on each of them.

The first one has an ssh port, and two ports running web pages.

The second one has just one port open hosting a website.

1/10
The third one only has an ssh port open.

The 4th one has file sharing ports and an sql server open.

Let's start with the first one. Upon visiting the webpage, we see a default apache page.

2/10
When we go to the admin panel of apache under /manager, we are asked for credentials. I tried the default creds
tomcat:s3cret and i was able to log in.

Now we can see that there is a portal to upload a war file.

I searched on google and got an msf code to generate a war payload.

3/10
I created and uploaded the payload.

Then, I started a netcat listener and ran the file.

I got a session, and found the flag in the desktop of user adminels.

4/10
Now moving on to the second machine, we are greeted with a 404 page.

5/10
I did some directory bruteforcing using dirbuster and found a project directory.

It asked for credentials when trying to access it, but it also gave us a hint “admin”. So i tried username and
password as admin and I got in.

Now, since we have credentials we can use dirb to brute force with credentials.

Eventually, I found an interesting directory under project/backup/test

6/10
One of the files had the location of the flag and also some sql credentials.

We got the flag.

When we did nmap at the start, our last machine on 172.16.64.199 had a port running an sql server. So, I checked
and found it was ms-sql. I searched for an exploit using msfconsole for mssql.

7/10
Got a payload. I set all the relevant options, including the credentials we found on the previous machine.

I ran the exploit command.

Sure enough, I got a meterpreter session.

I explored a bit and found the flag in user adminELS's desktop.

8/10
There was also a file which looked like an ssh public key, so I downloded it onto my machine.

This could be what we need to login to the final machine. Since we don't have a username, I tried viewing the key
file.

I found that this is not a key file after all, but it has ssh credentials. So i tried logging in with them.

I found the flag too.

9/10
10/10