CTF Walkthroughs, Hack The Box

Hack The Box – Jerry Walkthrough

January 18, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was a very easy box, as it involved logging into the Tomcat Web Application Manager using default credentials, deploying a new application using a malicious .war Java reverse shell and gaining a reverse shell by navigating to it.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests

Enumerating Port HTTP

When browsing to the web server, it shows the Tomcat default home page:

When navigating to the /manager page, which is used to manage Tomcat applications, a login prompt appears:

Searching on Google for default Tomcat credentials

After trying a few of the default credentials, tomcat/s3cret allow to login:

Tomcat .war file upload exploitation

Tomcat allows to deploy war files as applications, which are archives containing Java web pages; This can be used to upload a reverse shell and execute it to gain remote access.

Generating some shellcode and saving it as a .war file using MSFvenom with the following flags:

  • -p to specify the payload type, in this case the Java reverse shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

Attaching the file to the “Deploy” section of the manager page:

After deploying the .war file, the application is available in the list:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Navigating to the newly deployed application in order to trigger the shell:

This has granted a reverse shell as expected:

As the current user is already SYSTEM, so no privilege escalation is required

Conclusion

This is probably one of the easiest boxes on Hack the Box, although it can be really useful if you haven’t exploited Tomcat .war applications before, as it is a quite common attack that every penetration tester should know.