Recently, I got access to management web console of a new to me product called SkyMobile VTI Server. The web console itself was enough to allow complete access to the system as it was running with Administrative privileges and allowed file upload. All I needed to do was upload an asp meterpreter to wwwroot and get the work done.
![]()
But I wanted to have fun. After browsing through the console for few minutes I saw the unencrypted default configuration file.
![]()
In the configuration file, I saw a parameter called "JavaCommand" which calls JRE executable.
![]()
I uploaded a meterpreter executable, changed the "JavaCommand" variable to path of the uploaded meterpreter executable and restarted the service (Yes I restarted it, I know its _really_ bad, but I just did that)
![]()
And the result was sweet !!
![]()
But I wanted to have fun. After browsing through the console for few minutes I saw the unencrypted default configuration file.
In the configuration file, I saw a parameter called "JavaCommand" which calls JRE executable.
I uploaded a meterpreter executable, changed the "JavaCommand" variable to path of the uploaded meterpreter executable and restarted the service (Yes I restarted it, I know its _really_ bad, but I just did that)
And the result was sweet !!
