This shows just one port open, an Apache Tomcat server on port 8080. Nmap done: 1 IP address (1 host up ) scanned in 15.41 seconds Read data files from: /usr/bin/./share/nmap |_ Supported Methods: GET HEAD POST OPTIONS at 12:35, 0.01s elapsedĭiscovered open port 8080/tcp on 10.10.10.95Ĭompleted Connect Scan at 12:35, 7.38s elapsed (1000 total ports )Ĭompleted Service scan at 12:35, 6.23s elapsed (1 service on 1 host )Ĩ080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 at 12:35Ĭompleted Parallel DNS resolution of 1 host. Initiating Parallel DNS resolution of 1 host. All addresses will be marked 'up' and scan times will be slower. Nmap done: 1 IP address (0 hosts up ) scanned in 4.09 seconds If it is really up, but blocking our ping probes, try -Pn #writeup #oscp-prep #windows #file-upload #tomcat #no-metasploit Enumeration The exploit was arguably even simpler than Blue and Legacy, at least by hand - while it wasn’t a case of just firing off a metasploit module, uploading a shell and triggering it by simply visiting the URL is much simpler than manually editing an exploit. I rated both user and root a 1 for difficulty. When I found the correct path through the management console, it took me about half an hour the exploit itself dropped me in directly as system. However, that was mostly because I spent a fair amount of time down a rabbit hole trying to exploit a CVE. ![]() It took me about two hours, which is pretty slow compared to the six minutes for first blood. It involved logging into a Tomcat Manager page and uploading a. This is the fourth box in my OSCP prep series.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |