Open in app

Sign in

Write

Sign in

TryHackMe | ToolsRus Walkthrough

Enes Cayvarlı
7 min readDec 1, 2022

--

Hi there, I’m glad to see you here. In this article, we’ll solve together the “ToolsRus” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!

ToolsRus

Your challenge is to use the tools listed below to enumerate a server, gathering information along the way that will eventually lead to you taking over the machine.

This task requires you to use the following tools:

-Dirbuster

-Hydra

-Nmap

-Nikto

-Metasploit

Deploy the machine

Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.

https://tryhackme.com/access?o=vpn

Configuration File

Step 2: Use openvpn command and start your VPN connection.

openvpn

Step 3: Can you see the IP address of the machine?

Active Machine Information

Step 4: You can check your connection.

ping
OpenVPN Access Details

Q1: What directory can you find, that begins with a “g”?

A1: guidelines

We can use tools like dirb, dirbuster, gobuster to find hidden directories in a website.

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.

DirBuster

There is a directory called guidelines that starts with the letter “g”. Look at the response code. The HTTP 200 OK success status response code indicates that the request has succeeded.

DirBuster Result

Q2: Whose name can you find from this directory?

A2: bob

Bob I hope you didn’t update..

/guidelines

The page source can give us important information. This is the original text and HTML tags typed by the author and interpreted by the browser to produce the Web page you actually SEE on the Internet. That’s why never forget to look here.

Page Source

Q3: What directory has basic authentication?

A3: protected

The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.

When we access the protected directory, it asks us for a username and a password. I guess we need hydra..

Q4: What is bob’s password to the protected part of the website?

A4: *******

By looking at the request, we can see that the website is using the GET method to login.

GET request, in simple terms, is a way for you to grab data from a data source with the help of the internet.

Inspect / Network

When we try to log in with any username and password, we can see the HTTP 401 response code.

Headers

The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.

Hydra is a parallelized login cracker which supports numerous protocols to attack.

hydra -l bob -P <wordlist> -f 10.10.153.1 http-get /protected/

-l: login with LOGIN name

-P: load several passwords from FILE

-f: exit when a login/pass pasir is found

[machine IP]: the IP address of the target machine

Hydra

BINGO! Let’s try logging in using Bob’s credentials.

It’s like we’re traveling between the ports.

Q5: What other port that serves a web service is open on the machine?

A5: 1234

We need to run a nmap scan to find out which ports are open and which services are running on these ports.

Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.

nmap -A -T4 -p- 10.10.153.1

-A : Enable OS detection, version detection, script scanning and traceroute.

-T4 : Set timing template (higher is faster).

-p- : You can specify “-p-” to scan ports from 1 through 65535.

Nmap Scan Result

Q6: Going to the service running on that port, what is the name and version of the software? Answer format: Full_name_of_service/Version

A6: Apache Tomcat/7.0.88

Nmap Scan Result

Apache Tomcat (called “Tomcat” for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a “pure Java” HTTP web server environment in which Java code can also run. Thus it’s a Java web application server, although not a full JEE application server.

Apache Tomcat

The Tomcat Manager App is a web application that is packaged with the Tomcat server and provides us with the basic functionality we need to manage our deployed web applications.

The Tomcat Manager App

The Tomcat Manager is a web application that can be used interactively (via HTML GUI) or programmatically (via URL-based API) to deploy and manage web applications.

Tomcat Web Application Manager

Q7: Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above. How many documentation files did Nikto identify?

A7: 5

Nikto is a pluggable web server and CGI scanner written in Perl, using rfp’s LibWhisker to perform fast security or informational checks.

nikto -host http://10.10.153.1:1234/manager/html -id bob:<password>

-host: Target host/URL

-id: Host authentication to use, format is id:pass or id:pass:realm

Nikto

Q8: What is the server version (run the scan against port 80)?

A8: Apache/2.4.18

Let’s look at the nmap result again.

Nmap Scan Result

Q9: What version of Apache-Coyote is this service using?

A9: 1.1

Nmap Scan Result

Q10: Use Metasploit to exploit the service and get a shell on the system. What user did you get a shell as?

A10: root

Now it’s time to google search! When I researched how to exploit the tomcat service, I reached the link below:

https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_upload

Msfconsole is probably the most popular interface to the Metasploit Framework (MSF). It provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF.

msfconsole -q

-q: Do not print the banner on startup

We can look at the parameters requested from us using the options command.

Let’s set the parameters.

If you’re ready, it’s time to get into the system!

You can review the meterpreter commands from the link below:

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics

Q11: What text is in the file /root/flag.txt

A11: ********************************

flag.txt

Congratulations! You found the flag.

Thank you for your time. See you soon! Until that time.. Happy Hacking

Resources:

https://www.kali.org/tools/dirbuster

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401

https://www.kali.org/tools/hydra

https://nmap.org

https://en.wikipedia.org/wiki/Apache_Tomcat

https://tomcat.apache.org/tomcat-8.0-doc

https://www.kali.org/tools/nikto

https://www.offensive-security.com/metasploit-unleashed/msfconsole

Cybersecurity
Ctf
Ctf Writeup
Tryhackme
Tryhackme Walkthrough

--

--

Enes Cayvarlı
Enes Cayvarlı

Written by Enes Cayvarlı

152 Followers
21 Following

Cyber Defense Center Analyst www.linkedin.com/in/enescayvarli

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams