Deployable
https://www.cyberseclabs.co.uk/labs/info/Deployable/
Nmap
HTTPS
ON Port 8080 we have Apache Tomcat/7.0.88. With Tomcat you can access a file upload session under the 'Manager App' button on the right.
You will be presented with Http-basic-auth request box. Entering invalid credentials defaults to the page below.
The above page provides default credentials for admin:s3cret
If we try reloading the 'Manager App' page again and entering the credentials we are able to login with the defaults.
Initial Foothold
I have completed some Tomcat based boxes before and find they are usually susceptible to malicious WAR file uploads. Further down the page we can see an opportunity to upload a WAR file.
msfvenom can be used to create malicious WAR files which essentially are Java based reverse shells that we can generate. I have linked an article below which goes over some ways to exploit a Tomcat server. I will be using the WAR backdoor method.
Run the following in a terminal.
After this has been generated we can upload the malicious file. We can now see the shell now appear in the application list.
Clicking on the shell will execute the reverse shell we created. Ensure you have a netcat listener running to catch the shell.
Once we execute the shell we should connect.
Privilege Escalation
Using whoami /priv
we can check our privileges:
'SeImpersonatePrivilege' is interesting and can potentially lead to JuicyPotato attacks. This is somewhat expected as this privilege is often given to service accounts in which we are likely running as.
the systeminfo
command reveals we are running on Windows Server 2012 R2 Datacenter which is usually vulnerable to JuicyPotato attacks.
For now I will explore other attack vectors as I have covered this type of attack recently.
I next set up a SMB server on my attacking machine using Impacket's smbserver.py.
We now should be able to execute and download files easily from inside the shell on the Server. I started with by running winPEAS.exe to identify in points of escalation.
After a while winPEAS.exe picks up that the Deploy service is which uses Deploy.exe in the following path at C:\Program Files\Deploy Ready\Service Files\Deploy.exe
has no quotes and has spaces in the path
I have linked below a really good Medium article that explains the vulnerability really well. I have also shown a small snippet from the Article.
In this case I will create a reverse shell with msfvenom
called Service.exe
as this will be executed before the Deploy.exe
file.
I can then copy this over to the destination folder using the SMB server I set up earlier.
We can now set up a netcat
listener on our attacking machine to the port of the Service.exe
we created.
We need to then start the service for it to execute the Service.exe as System.
You should now have a shell as System.
Last updated