9 box enum marcus

marcus@monitors:~$ ls -la
total 40
drwxr-xr-x 5 marcus marcus 4096 Jan 25  2021 .
drwxr-xr-x 3 root   root   4096 Nov 10  2020 ..
d--x--x--x 2 marcus marcus 4096 Nov 10  2020 .backup
lrwxrwxrwx 1 root   root      9 Nov 10  2020 .bash_history -> /dev/null
-rw-r--r-- 1 marcus marcus  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 marcus marcus 3771 Apr  4  2018 .bashrc
drwx------ 2 marcus marcus 4096 Jan 25  2021 .cache
drwx------ 3 marcus marcus 4096 Nov 10  2020 .gnupg
-r--r----- 1 root   marcus   84 Jan 25  2021 note.txt
-rw-r--r-- 1 marcus marcus  807 Apr  4  2018 .profile
-r--r----- 1 root   marcus   33 Oct  5 19:07 user.txt

# we still cannot see under backup;
| chmod 777 to see it ;nothing new

marcus@monitors:~$ cat note.txt
TODO:
Disable phpinfo in php.ini              - DONE
Update docker image for production use  -

# nothing new here,

# we know port 8443 is running internally and we have docker,
# there is no wget or curl on box
# used __curl function but not getting anything
marcus@monitors:~$ __curl https://localhost:8443
Bad Request
This combination of host and port requires TLS.

# port forwarding via ssh
$ ssh -L 8443:127.0.0.1:8443 marcus@monitors.htb

https://localhost:8443/
HTTP Status 404 – Not Found
Type Status Report
Message Not found
Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
Apache Tomcat/9.0.31

exploring exploits for Tomcat/9.0.31
| found RCE by deserialization
	| https://www.redtimmy.com/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/

Found github exploits while exploring CVE.
| https://github.com/PenTestical/CVE-2020-9484
| manual method: https://romnenko.medium.com/apache-tomcat-deserialization-of-untrusted-data-rce-cve-2020-9484-afc9a12492c4

Last updated