search

Jerry

OS: Windows, Difficulty: Easy, IP: 10.10.10.95

hashtag
Initial Enumeration

sudo nmap -T5 -p- -oN T-all 10.10.10.95
 Nmap 7.70 scan initiated Sat Jul  6 13:24:49 2019 as: nmap -sV -sC -p 8080 -oN O-Detailed 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.26s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul  6 13:25:05 2019 -- 1 IP address (1 host up) scanned in 15.85 seconds

Port 8080 was the default installation of the Apache Tomcat server. The server was last updated in May 2018, hence had no exploits in Searchsploit.

gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u http://10.10.10.95:8080
/docs (Status: 302)
/examples (Status: 302)
/manager (Status: 302)

The manager one seemed interesting, and when I hit the URL it asked for credentials, I tried default tomcat credentials tomcat:s3cret and they worked.

hashtag
User Own & Root Own

An option to deploy my own WAR file was available so I built up a reverse shell using msfvenom for the server.

The shell was uploaded and once this URL is hit I got a reverse shell as NT Authority/System

hashtag
Learning Outcome

Whenever you get a shell, check who you are before running around for enumerating the server. In this case it took me quite a while to understand that I was running as root since beginning of time.

PreviousBlueNextLegacy

Last updated