HTB(Jerry) Write UP No Metasploit
Quick write up on Jerry from HTB
returns tomcat on 8080
Go the 10.10.10.95:8080 and check it out, server status asks for a password. admin:admin works. nothing too crazy there, try going to the manager app link.
admin:admin doesnt work. the 404 page says the default is tomcat:s3cret……clear your cache and that works. Also could be brute forced with hydra. Using SecLists From github, they have wordlist specific to tomcat
If you scroll down you see you can upload war files. i think kali comes with one by default you could try. In this dir /usr/share/webshells/ but i just googled for jsp shells and found this https://gist.github.com/nikallass/5ceef8c8c02d58ca2c69a29a92d2f461 clicked on raw,
and was able to download it, server only allows war files, so run this in bash
upload the file, go to server:8080/cmd/cmd.jsp
and you should see this
whoami shows you have code execution as system, nice. this machine is 64 bit according to page that allows war file uploads
so you have to run 64 bit powershell, googling 64 bit powershell path show this 64 bit version: C:\Windows\System32\WindowsPowerShell\v1.0\ get nishang if you dont already have it > git clone https://github.com/samratashok/nishang use the following shell found in the nishand Shells Dir Invoke-PowerShellTcp.ps1 edit the script to run the following function along with what port your going to be listening with netcat
Serve the script up with a python http server (i renamed the PS script to shell)
set up a netcat listener based on the port you specifed in the powershells script
run the following command on the java page
It runs 64 bit powershell and runs that one line commmand that reads a powershell script, imports the modules and runs the function specified.
You should see that after the command is run also, a GET request on your python webserver. And Last a shell on your netcat listener.
And thats it!