Jerry
Nmap
The root page for port 8080 takes us to an install of Apache Tomcat / 7.0.88.
When clicking on the 'Manager App' button we are asked for authentication before proceeding. Looking up the default credentials on Google we get the result below.
From the list above I tried tomcat:s3cret
and was granted access as shown below. I have done penetration testing against Tomcat previously and know that once you have access to the Manager App you can upload a malicious WAR file in order to gain shell.
Using the command below we can create a WAR reverse shell with msfvenom
.
Once uploaded we can then see the upload shell under 'Applications'.
Then start a netcat
listener on the attacking machine:
Then click on the uploaded WAR file under applications to execute. As per below you should then have a reverse shell as SYSTEM.
Last updated