Jerry

Jerry is a Windows-based CTF from HackTheBox.

Initial

Attempted to browse to host, but no response.

Confirmed host is alive with ping.

Makes approach a little narrower. Lets jump directly into scanning.

Scanning

Nmap

Couldn't browse to host.
Perhaps there are other interesting services.

Initial nmap scan failed, as if host were down.
Ran nmap with -Pn flag instead, worked.

After finding a single service, I further scanned to enumerate the service.
This was also obvious after browsing to the IP.
It's a tomcat service.

Didn't find anything more unfortunately, so looks like Tomcat is what we're attacking today.

Attacking tomcat

Fortunately, I've got a little experience attacking tomcat.
In previous CTFs I've come across a few versions. Most require us to access the tomcat manager modules.

Lets try find the exact version of Tomcat that the system is using, and whether we can get simple access.

Browse to host

Version is show atop the page.

Apache Tomcat/7.0.88

Access manager app

Clicking around, I found the manager application.
As usual, it requests a username and password.
Whichever genius set up this installation is using default credentials.

tomcat:s3cret

Which allows us to login.

We can access both the status and the HTML directory.

http://10.10.10.95:8080/manager/status
http://10.10.10.95:8080/manager/html

We can likely access more but these links are accessible from homepage.

Find potential attack vector

I searched around for somewhere to upload a payload.
We can upload WAR files to the server via the /manager/html page.

http://10.10.10.95:8080/manager/html

See the Deploy section.

MSFVenom WAR payload

We can generate a payload with msfvenom.
To run, we need a Java/JSP payload, in WAR file-format.
Tomcat is java-based, and runs JSP files.

Upload payload

Now we have a payload, lets upload(deploy) it. You'll notice after you Browse, select your payload, then Deploy. Another record is attached to application list.

The application will take on the name of the WAR file you deployed.

To access and execute the reverse shell, simply browse to the URL. In the above case, we need to browse to /shell, as we uploaded shell.war.

But, before we execute the shell we need to start a listener for our reverse shell.

Get shell

We'll use netcat listening on 4443.
After starting listener, navigate to the exploit path.
This will give use shell

Getting user & root flag

Now that we have shell we can look around for more info.

This system is pretty poor in terms of security. Tomcat must be running as Administrator, as we're able to navigate directly to the Administrator /Desktop directory and pull the flags. The flag file gives us both the user flag and the root flag!

And there we have it. Jerry complete.

Leave a Comment

Your email address will not be published. Required fields are marked *