🕵 HTB-Writeup : JERRY
With nmap we found only one open port (8080). We identify a tomcat server.
With gobuster, we discover some directory.
/manager point to the tomcat manage service. We are asked for credentials while go on the page.
We try to connect to
http://10.10.10.95:8080/manager/html. In burp, we intercept the request.
We identify the token
Authorization: Basic YWRtaW46Y291Y291. It’s base64 encoded credentials. This value is equal to
admin:coucou. We then try to bruteforce the authentication with default tomcat credentials. I found a list on this github.
Again in burp, we send the request in the Intruder then we launch the attack with our payloads.
Set our payloads position
One of the credentials work!
We get a response from one payload
We are able to connect to the manager page with those creds:
More easily, it possible to use the
scanner/http/tomcat_mgr_login module on metasploit. This module allows us to test all Tomcat default credentials.
We are welcome on the manager page. We can see a war upload module one the page.
Screenshot of the welcome page
It is possible, thanks to
msfvenom to build a malicious war file that will be able to spawn a reverse shell.
We try first the
java/shell_reverse_tcp module to build the war.
Then, we upload the war file on the server. We can see the application on the list.
Screenshot of applications list
We listen on the
4444 port (
nc -lvnp 4444) while going to the
/pwn page just uploaded.
We got our first and NT Authority prompt!
We can get both flag on the Administrator desktop.
Easy, External, Tomcat, Penetration Tester Level 1, Remote Code Execution, A05:2021-Security Misconfiguration, Default Credentials, Malicious WAR File Upload