Jerry is an easy Windows box. The box required us to exploit weak configuration of a Tomcat Server. Once we had access to the Tomcat dashboard, we were able to upload a war file which ultimately lead to RCE and thus giving us access to the system. Luckily, we immediately got full nt authority\system access.
Enumeration
As always, we start by scanning the target machine’s open ports:
1
2
3
4
5
6
7
8
rustscan --ulimit 5000 jerry.htb -- sV -sC -oN nmap_scan
PORT STATE SERVICE REASON
8080/tcp open http-proxy syn-ack
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
The port scan only reveals a single open port, which exposes Apache Tomcat version 7.0.88. Let’s enumerate it further.
Enumeration Port 8080 - Apache Tomcat
Looking at the website, we can see the default Apache Tomcat page. This was to be expected, as nmap has already told us that we are dealing with Apache Tomcat.
Apache Tomcat is an open-source Java servlet container that implements many Java Enterprise Specs such as the Websites API, Java-Server Pages and last but not least, the Java Servlet. https://www.javatpoint.com/what-is-tomcat
As seen in the screenshot above, Apache Tomcat provides a “Host Manager” and “Manager App” which is basicallu a dashboard that provides us full access to the configuration page.
However, this dashboard is protected by an authentication mechanism which asks for a username and password. Luckily, this is one of the main vulnerabilities of the Tomcat Apache software. During installation, it does not require you to change the default password. So lazy or unaware administrators simply stick with the default credentials which can easily be looked up as seen in the following picture:
https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown
So let’s go through the list and try each of them (feel free to either use the metasploit module that does that for you or any bruteforcer like hydra, burp or own scripts). In this case, this leads to success! Apparently, we have a lazy admin here. The credentials are tomcat:s3cret. Now we have full access to the management dashboard!
Initial Foothold - NT AUTHORITY\SYSTEM
From here, it’s very simple to get access to the system. The dashboard provides a functionality to upload and deploy .WAR files. This means, we can include our own code, e.g. a reverse shell, onto the web server.
The methodology is the following:
1) Create the war file containing the reverse shell payload using msfvenom
2) Upload and deploy the war file.
3) This will create a new entry in the applications list.
4) Start a java/jsp_reverse_tcp listener. Here I use metasploit for this purpose.
5) Click on the path link in the applications list.
6) This will trigger the execution of the reverse shell code.
The steps are depicted below:
There we go! And we are even more lucky! Apparently, the web server is running with system privileges. This means, through our reverse shell, we have full control of the web server!
Final step is to obtain the user and root flag.
