Post

HackTheBox Jerry Write-Up

Posted
Preview Image
By Joseph DePalo
3 min read
HackTheBox Jerry Write-Up

Jerry is an easy-difficulty Windows machine on HackTheBox showcasing how to exploit Apache Tomcat to achieve remote code execution (RCE). Default credentials are used to access Apache Tomcat’s manager app, which can be used to upload a malicious WAR archive that allows us to open a shell on the remote Windows machine under the privileged user NT AUTHORITY/SYSTEM.

  • OS: Windows
  • Difficulty: Easy
  • Services: Apache Tomcat
  • Vulnerabilities: Default Credentials, Arbitrary File Upload, Remote Code Execution

Reconnaissance

As with all machines, we start our reconnaissance with a simple port scan using nmap.

nmap

nmap shows Apache Tomcat running on port 8080 and that the target is a Windows machine. Navigating to http://10.10.10.95:8080/, we find the default homepage for Apache Tomcat.

Apache Tomcat

We see there is a button called “Manager App”, which may lead us to an admin portal of some kind.

Accessing the Manager App

Upon trying to access the manager app, we’re prompted for a username and password. Default credentials like admin:admin and admin:password do not work, and we are redirected to the below 403 page after an unsuccessful login.

403 denied

On the 403 page, the credentials tomcat:s3cret are given as an example. Unfortunately, we are no longer able to login via our current browser session without clearing our browsing data. Instead, we can simply open the same page in a private tab (ctrl+shift+p on Firefox).

Upon entering tomcat:s3cret, we gain access to the manager app.

Manager homepage

The applications at the top of the page aren’t of much interest, but scrolling down we see an upload form for .war files.

WAR upload form

Uploading a Malicious Payload

Searching online for Apache Tomcat Manager upload exploits, we find this Rapid7 exploit. Luckily, most of the exploits in Rapid7’s database can easily be run via Metasploit. We open Metasploit with the command msfconsole and select the appropriate exploit, exploit/multi/http/tomcat_mgr_upload, as instructed on the Rapid7 web page. We’ll have to set several options for this exploit to work properly with the command set NAME VALUE.

  • HttpPassword -> s3cret
  • HttpUsername -> tomcat
  • RHOSTS -> 10.10.10.95
  • RPORT -> 8080

Now that the module options are out of the way, we need to configure our payload and target. Since we are targeting a Windows machine, we must set the target ID appropriately. show targets indicates we should set the target ID to 1 (set target 1). We also change the payload to windows/meterpreter/reverse_tcp instead of the default java/meterpreter/reverse_tcp.

By default, your primary interface will be used as the value for LHOST, your local machine. I am connecting to the box via OpenVPN, so I need to change this to the address of my VPN interface (set LHOST tun0). When complete, your options should look like what is shown below.

Msfconsole completed options

Upon typing exploit, everything runs successfully and we now have a shell on the remote system!

Meterpreter shell

Dropping into a Windows shell from Meterpreter, we run whoami and, surprisingly, we are already running as NT AUTHORITY/SYSTEM, a default user with administrator privileges.

Flags

As usual, the appropriate flags are located in the Desktop directory of the appropriate users. It seems in this case, both the user and root flags are stored in C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt. Using the type command, we are able to print their values.

Flags

Conclusion

That concludes Jerry, a relatively simple machine with a straight forward path to root. To summarize, we took advantage of several security flaws present in this box:

  • Exposed default homepage
  • Default credentials
  • Insecure file upload
  • Service running as privileged user
Write-Ups
CTF
This post is licensed under CC BY 4.0 by the author.

Trending Tags

Home Lab AppSec CTF DFIR