This is another blog on my experience of exploiting a Windows-based retired machine with the IP address 10.10.10.95.
The first step is the reconnaissance process by using nmap that helps in identifying the open ports.
We find that there is only one open port which is 8080.
When we try opening the page with the same, we find a manager application page that demands a user name and the password.
To get that user name and password, we have got an XML file on the same page which upon opening throws the username and password to be Tomcat and s3cret respectively.
With the obtained username and password, we try to gain the access to the application manager page.
The next step is to exploit the vulnerabilities in the application manager page which I have done using msfconsole.
After starting msfconsole, we then give the search option for exploiting the tomcat manager exploit.
Here we use the tomcat manager upload as there was an option of uploading the WAR file in the site that had the manager application.
When using the same we try setting the options that were available to us like that of the username, password, the receiving host, and the port.
Now the exploit is set to run!
We then obtain the shell for exploitation.
Here we find a directory called users which we navigate into.
Finally, we have got the Administrator rights!!
When navigating through the directories, we get the flags directory.
Finally, the hash values of the user and the root is obtained.
