9 box enum marcus
marcus@monitors:~$ ls -la
total 40
drwxr-xr-x 5 marcus marcus 4096 Jan 25 2021 .
drwxr-xr-x 3 root root 4096 Nov 10 2020 ..
d--x--x--x 2 marcus marcus 4096 Nov 10 2020 .backup
lrwxrwxrwx 1 root root 9 Nov 10 2020 .bash_history -> /dev/null
-rw-r--r-- 1 marcus marcus 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 marcus marcus 3771 Apr 4 2018 .bashrc
drwx------ 2 marcus marcus 4096 Jan 25 2021 .cache
drwx------ 3 marcus marcus 4096 Nov 10 2020 .gnupg
-r--r----- 1 root marcus 84 Jan 25 2021 note.txt
-rw-r--r-- 1 marcus marcus 807 Apr 4 2018 .profile
-r--r----- 1 root marcus 33 Oct 5 19:07 user.txt
# we still cannot see under backup;
| chmod 777 to see it ;nothing new
marcus@monitors:~$ cat note.txt
TODO:
Disable phpinfo in php.ini - DONE
Update docker image for production use -
# nothing new here,
# we know port 8443 is running internally and we have docker,
# there is no wget or curl on box
# used __curl function but not getting anything
marcus@monitors:~$ __curl https://localhost:8443
Bad Request
This combination of host and port requires TLS.
# port forwarding via ssh
$ ssh -L 8443:127.0.0.1:8443 marcus@monitors.htb
https://localhost:8443/
HTTP Status 404 – Not Found
Type Status Report
Message Not found
Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
Apache Tomcat/9.0.31
exploring exploits for Tomcat/9.0.31
| found RCE by deserialization
| https://www.redtimmy.com/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/
Found github exploits while exploring CVE.
| https://github.com/PenTestical/CVE-2020-9484
| manual method: https://romnenko.medium.com/apache-tomcat-deserialization-of-untrusted-data-rce-cve-2020-9484-afc9a12492c4
Last updated