Enterer Privilege Escalation tutorial, Tomcat Privilege Escalation

Enterer permission elevation Tutorial: Permission elevation under Tomcat

Author: enterer

The collected data in the early stage indicates that the Administrator is a very lazy person and folders are in disorder. However, this increases the difficulty of privilege escalation.

Run CMD. The password has been changed despite SU. Disk C is equipped with a bunch of Soft Kill... Khan, coffee, Norton, rising, cert, 360 .... Disk D looks like a website, but it's messy... Although the jsp test is successful, it cannot run the jsp Trojan. I don't know what's going on. Okay. Try the default port 8080 to see if it is Tomcat. Obviously, there is also a version number.

 

Find the tomcat installation folder, which is not found in the C root directory, so run the CMD command to find it. After a long wait, the path is displayed. If you find it manually, you will be exhausted.

 

 

Because we know that the version is 5.0, we can directly go to the Tomcat folder. Find the password in the tomcat-user.xml In the conf folder

Accuracy + PC9QPg0KPFA + accuracy/accuracy + jm5ic3a7pelnrybzcm9 "http://up.2cto.com/Article/201001/20100124100123935.jpg" width = 568 height = 115>

The upload is successful. Let's take a look at the system permissions. You can do whatever you want.

 

The Elevation of Privilege ends here and the system permission is obtained. Although the system cannot log on to 3389, the Administrator has installed more than N kill software and cannot use remote control (neither the start Trojan nor the CMD/C Trojan can run remote control, it is estimated that the process that killed the software has not been shut down, and there are too many processes to find ). However, it also increases the experience value for privilege escalation. If it is more, it will be lv up.