As always, first we start with an Nmap scan:
Just one port is open, 8080.
We can visit this hosted site in a web browser by entering the URL 'http://10.10.10.95:8080/'
This brings us to an Apache Tomcat page.
It shows us the version that is running, and so we can enumerate this using Google or Searchsploit search.
Before doing this, lets see if we can access the manager page with no authentication.
Oh no... we are provided with a pop up to authenticate our details in order to access the Manager App.
Lets try some default credentials to see if we can log in (search google 'Tomcat default credentials')
After trying the default credentials 'tomcat', with the password 's3cret', we gain access to the Manager App.
Above you can see that if we scroll down we are given an option to deploy a directory or WAR file.
Lets search google and see if there is a vulnerability for this feature.
BINGO! Using the link below, it tells us a Metasploit Module to use to gain Remote Code Execution via this feature.
Link - https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat
Set the following options:
We gained a shell from this, now lets check who we are logged in as by using the shell command, then the whoami command.
This tells us that the current user we have a shell on is Administrator, so no privilege escalation is required.
Congratulations, you have pwned this box!
Comments