HackTheBox Writeup— Jerry

Hello Guys , I am Faisal Husaini. My username on HTB is “smoke” .

This was pretty easy box , but it had nice techniques and I learn about exploiting vulnerable TomCat Server , it was fun doing this box

The IP for this machine is 10.10.10.95

NMAP Scan Results

We run the nmap scan using the command “nmap -sC -sV -oA nmap 10.10.10.95”

NMAP Results

As the nmap scan blocking our ping probes , we gave an extension -Pn

Now we see that port 8080 is open and is running http service of Apache Tomcat/Coyote JSP engine 1.1

HTTP Service

Apache Tomcat

We run the IP 10.10.10.95:8080 in the browser and we get the default or normal Apache Tomcat server page

Let’s now run dirb scan

Dirb Scan

dirb

We got many directories , interesting ones look host-manager and manager , lets see what it has

/host-manager

Here when we tried to access http://10.10.10.95:8080/host-manager

It prompted for username and password , so I tried random username and passwords like admin/admin or root/admin etc.

But no luck , then when I clicked on Cancel button , I was redirected to this page

403 Access Denied

Here we clearly see that username=”tomcat” and password=”s3cret” , which by first I thought was a leak from the server , but after researching I came to know that it is the Apache Tomcat default username/password.

I tried to re-enter this as username and password , but it didn't prompted me due to the cookie stored , so I will try this on http://10.10.10.95:8080/manager and see what it shows

/manager

So here we try to access http://10.10.10.95:8080/manager , we get

Tomcat Web Application Manager

Scrolling down more , we see

WAR File Upload Section

We see that we can upload a WAR file , now lets begin some enumeration and google

Enumeration

So after doing google searches and enumeration , I came to know that we can upload WAR files and also we can create a msf payload using msfvenom in WAR format , so lets do it

Creating WAR Backdoor using msfvenom

Here we create a WAR format backdoor to upload in the Tomcat manager and then access it to get the reverse shell

msfvenom to create WAR backdoor

Payload created , now lets upload it

Uploading WAR Backdoor

Now we upload our created backdoor “faisal.war” in the Tomcat manager

WAR File Upload

Now we click on Deploy

Backdoor Uploaded

Our backdoor has been uploaded and now we can access it using the URL http://10.10.10.95:8080/faisal

Getting Shell

Before we access http://10.10.10.95:8080/faisal , we need to set up a listener

msfconsole

Boom , we got shell just after accessing the backdoor link

Looking Further

Now lets see which user we are

whoami

Woaah , we are already now to NT Authority\system so we don't need to do privilege escalation

Getting The Flags

We saw there was a folder names flags in C:\Users\Administrator\Desktop

dir

Inside of it had a txt file name as “2 for the price of 1.txt” , when we tried to read it from the shell , the shell died , I did many times , but again same thing happened

So , now I create a windows backdoor in exe format using msfvenom and then uploaded it using powershell command Invoke-WebRequest and then set up another listener in msfconsole to get a meterpreter shell

Setting up a meterpreter

Now we try to read the txt file from meterpreter or else download it to our machine

Getting Flags

We couldn't read it , so i tried downloading it my box and it downloaded , now lets see what it has

The Flags

Boom , we got both the user flag and root flag

Vulnerabilities Used To Exploit This Box

WAR File Backdoor Upload At Apache Tomcat

References

Below are the links for the resources which helped me in solving this box

Creating WAR Backdoor Using msfvenom :

→ https://pentestlab.blog/2012/08/26/using-metasploit-to-create-a-war-backdoor/

→ https://netsec.ws/?p=331