hackthebox.eu: Jerry Walkthrough
After many recommendations from friends and colleagues I finally joined on hackthebox.eu and I can say after messing around on their website and interface that I am impressed! It reminds me of the OSCP lab environment which is a compliment for sure. I like that people can create and add their own targets to it and the overall voting system is good to find a quick challenge or something you can really sink your teeth into.
With that in mind, I chose a windows machine named Jerry for my first foray into hacking the box.
After many recommendations from friends and colleagues I finally joined on hackthebox.eu and I can say after messing around on their website and interface that I am impressed! It reminds me of the OSCP lab environment which is a compliment for sure. I like that people can create and add their own targets to it and the overall voting system is good to find a quick challenge or something you can really sink your teeth into.
With that in mind, I chose a windows machine named Jerry for my first foray into hacking the box.
FAIR WARNING - SPOILERS AFTER THIS POINT
Here we go!
I started off with a quick nmap scan of the IP (10.10.10.95) that I got from IppSec’s great YouTube tutorials.
nmap -sV -sC host
nmap output from initial scan
This showed that the target is running Apache Tomcat on port 8080. Immediately I know the first thing to try. It is very common to find administrators that forget to change their admin password from one of the defaults and Metasploit makes it quick to check. Makes sense to start here before trying harder things.
msfconsole
use auxiliary/scanner/http/tomcat_mgr_login This module takes a lot of possible settings, but the only ones we really care about are RHOSTS and THREADS. We need to target Jerry and bump up the threads so we don’t have to wait as long (I’m impatient). Once that’s set, type run and wait for it to churn through.
Success in finding a default login credential set
Gotta love that bright green! So now we have a tomcat administrator login. You’d be surprised how many times you can find this on live tests. It seems that no matter how many times people are told, they still forget to finish off a deployment by changing a password. And a lot of times that one crack in the wall is all you need. Let’s see what we can do with this.
Time to look through Metasploit some more. Wikipedia tells us that Tomcat "implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a "pure Java" HTTP web server environment in which Java code can run” (https://en.wikipedia.org/wiki/Apache_Tomcat). And I know this means we can deploy our own code to it to run. Metasploit makes this even easier with several modules. Also, just a CTF observation… challenge creators can’t help but be witty… Jerry, Tomcat, lol. I think we’re on the right path.
So there are two MSF modules that may be useful
exploit/multi/http/tomcat_mgr_deploy
exploit/multi/http/tomcat_mgr_upload
I’ll be honest. I tried mgr_deploy first and had no luck. Even when messing around with different payloads. So I decided to move on to the upload and see if that one works.
Settings for my Metasploit module
Important things to note here. This module is set out of the box as port 80. That needs to be changed if you have a different port to target. I changed my target to Windows and my payload to Meterpreter reverse TCP as that will give me some more options over a more generic shell.
Getting a successful meterpreter
SUCCESS! Now we have a shell on the box. Let’s find out the lay of the land.
This shows that we’re running as system. This can be a good thing, but if we have to be in the context of the user we could have some problems. Doing a process listing shows that there don’t seem to be any users logged in with programs open. Weird, but that doesn’t mean we’re done. Let’s see what’s on this machine’s drives.
We are dropped in the C:\apache-tomcat-7.0.88 folder, but running as system we should be able to move around. Looking in the sub-folders of where we are isn’t very interesting, so let’s go to the main drive.
Not a whole lot of interest here and the dates are all pretty similar so nothing jumps out at me as needing to be reviewed RIGHT MEOW! I’ll start with my usual Users folder then and see what interests me there.
I frequently use the modified date to narrow my search
Now we see a difference. Everything is 2013 except for the Administrator directory. Let’s see what’s going on there.
This screenshot looks mostly boring right? But there’s a small difference in the Desktop folder date so I’ll check that. I always make sure to check at least Desktop, Documents, Downloads, and Favorites on my test engagements. People dump all sorts of stuff in all of those folders and forget it’s there. I’ve found so many sensitive docs in the downloads folder just hanging out. Anyway, on to the Desktop!
I spy an interesting directory
I think we’ve found what we’re looking for…
This is where I started reviewing the rules of HackTheBox. I found that I needed a user and a root flag and thought I was just getting started…
that was unexpected…
Or not. Once I ran cat on that file I had both of my flags and turned them in for my first points.
Overall this is a pretty easy example, but as I have said I still see this out in the wild from time to time and old techniques can be useful. Also, it’s good to remember to just look everywhere in an environment. You never know what little tidbit of information you gather will be the key to a door you haven’t found yet. Thanks to hackthebox for being a lot of fun and really cool and to mrh4sh on HackTheBox for making it.