First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.
target="10.10.10.95"
ports=$(sudo nmap -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr '\\n' ',' | sed s/,$//)
sudo nmap -p$ports -sC -sV $target -vvv
PORT STATE SERVICE REASON VERSION
8080/tcp open http syn-ack Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
We get back the following result showing that only one port is open:
Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.
sudo nmap -Pn -sU --open -p- --min-rate 10000 $target
We can go with directory listing to find interesting paths.
feroxbuster --url <http://10.10.10.95:8080>
We get a lot of results, and in many cases feroxbuster found some interesting paths that got a 302 redirect. The default creds of “tomcat” / “s3cret” work to get access to the Tomcat Manager Application.
To get a shell, I’ll use the “WAR file to deploy” section of the manager application: