# Initial Enum - `ping` test ![[images/Pasted image 20260131205831.png]] - `nmap` scans ![[images/Pasted image 20260131210005.png]] - try anon login against ftp server - `website_backup` exists but we cannot access it ![[images/Pasted image 20260131210346.png]] - also cannot write a test file ![[images/Pasted image 20260131210355.png]] - visit page at port 80 ![[images/Pasted image 20260131205917.png]] - visit page at port 8000 ![[images/Pasted image 20260131210051.png]] - visit page at port 8009 > nothing - visit page at port 8080 ![[images/Pasted image 20260131210438.png]] - This may be vulnerable to CVE-2020-1938 - Ghostcat but this only allows LFI on webserver files - Cannot access `/manager` and `/host-manager` # Try MSF Module - Run `gobuster` to discover any dirs ```bash gobuster dir -u http://10.129.17.221:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt ``` ![[images/Pasted image 20260131212329.png]] - Let's try [auxiliary/scanner/http/tomcat_mgr_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login/) Metasploit module ![[images/Pasted image 20260131211354.png]] - set options > nothing ![[images/Pasted image 20260131212351.png]] # `CVE-2019-0232` - CGI vuln - Tomcat 9.0.0.M1 suffers from the `CVE-2019-0232` - CGI vuln - Run a `gobuster` scans to find `/cgi/` files ```bash gobuster dir -u http://10.129.17.221:8080/cgi -w /usr/share/dirb/wordlists/common.txt -x .cmd gobuster dir -u http://10.129.17.221:8080/cgi -w /usr/share/dirb/wordlists/common.txt -x .bat ``` ![[images/Pasted image 20260131213145.png]] - run `msfconsole` and search for `tomcat cgi` ![[images/Pasted image 20260131213236.png]] - set options ![[images/Pasted image 20260131213449.png]] - we have a `meterpreter` shell - drop into a Windows shell ![[images/Pasted image 20260131213524.png]] - navigate to flag ![[images/Pasted image 20260131213633.png]] - `type` flag