CPTS #09: Attacking Common Applications

Hint: 

  • Using metasploit for quick exploit
  • Exploit-DB is a good place to find a script.

Skills Assessment I

Perform an nmap scan on the target and discover that it is running Tomcat version 9.0.0.M1. After researching online, I found that this version has a vulnerability related to CGI exploitation and that there is a Metasploit module available to exploit it.

The next step is to find the location of the CGI executable script file.

To save time, I will use Metasploit to exploit it by simply providing the required information such as URI, RHOST, RPORT, etc. At this point, the exploitation will be successful. It is also possible to exploit it manually by uploading VBS payloads to the target machine and executing them using cscript.exe.

Skills Assessment II

Perform an Nmap scan and discover several notable ports, including the GitLab port 8081 and some web ports as stated in the task. Next, configure the vhost and access GitLab.

First, enumerate port 80 and find another vhost—answer question 1. Then configure the vhost and enumerate the WordPress site using wpscan. For now, leave these results aside and proceed to access GitLab.

Configure the vhost and access GitLab. Register a new user to see if there is anything interesting inside.

Explore around to check if there are any publicly accessible projects. And we found that there are public projects named Virtual Host and Nagios, which suggests that this site is preparing to deploy a monitoring solution.

Proceed to gather information to answer the remaining questions. By further enumerating these two projects, we discovered a new vhost.

By searching for more information, we found an admin password for Nagios login.

Proceed to map the vhost and use these credentials to log in to Nagios. After logging in, we found the version of the running Nagios instance.

After researching, we found that this version is affected by a CVE leading to RCE. However, the CVE requires admin privileges to exploit. Luckily, we already have admin credentials from the beginning. To proceed quickly, we will use the exploit from Exploit-DB to perform the attack.

Boom! We have obtained a shell as the www-data user. However, since the task only requires retrieving the flag in the current directory, there is no need to perform privilege escalation.

Skills Assessment III

Hack The Box is known for its vague questions, and sometimes the labs are label easy but take a lot of time to exploit. However, I couldn’t believe they would create a lab where you could find the flag in just a few steps. I was suspicious because the cube for this question was 0 instead of 1, unlike the previous labs. Just decompile the source code and look around—you’ll find the answer.