Nmap scan report for Host is up (0.11s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops

TRACEROUTE (using port 8080/tcp) HOP RTT ADDRESS 1 112.34 ms 2 112.35 ms

So here again there is information disclosure and there is very huge vulnerbility just left to be exploited with the basic apache coyote page left open people can go and access the manager tab or brute force there way in by just using the login there and we will do just that to crack this machine open.

Way to Exlpoit

First what we do is basically intercept the request with Burp suite and then check what request we send to the machine to login and get access to the access page then we make requests with that login pattern using a defualt password wordlist for Apache tomcat and then we are succesufll with that we basically just make another payload using msfvenom with the format that the website supports in this case its WAR and then we upload the

Bash Script Used to convert our input to Base 64 for

for cred in $(cat credentials.txt); do echo -n $cred | base64; done

In Burp we basically sent the request from our proxy to intruder and put the formated list of the default credentials in Payloads and started our attack after doing the attack we found out that the password is s3cret and the user is tomcat


As it shows here its WAR format so we are gonna use a msfvenom payload with that format

and then execute with the cmd shell and then use

nc -nvlp 4444

So basically netcat is listening on port for us and it will give us a reverse shell on this port because this is where we have the payload mapped to

and then we can just traverse and get the user and root flags

How to get a better session btw ( extra )