Writeup: Hack The Box - Machines - Jerry

dodo

02-07-2018 (Updated: 13-12-2020)

writeups

htb, machines

Description

Name: Jerry
IP: 10.10.10.95
Author: mrh4sh
Difficulty: 1.9/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.95

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Pwn

The machine expose only the 8080 port which is the default port for Tomcat server.

Trying to login in the application manager we are asked for credentials and if the authentication fails we get a 403 error page.

In this page though we can see that the example for the credentials configurations is not the standard one: we can use tomcat as user and s3cret as password.

Now that we had the credentials we can use metasploit to upload a JSP with our meterpreter session using the exploit exploit/multi/http/tomcat_mgr_upload with the corrects informations:

With the session on we were unable to find the user flag in the default path so we asked for a machine reset.

On the new machine we saw that user and root flag were together in a file in C:\Users\Administrator\Desktop\flags. And this is the default configuration so no need to privesc or nothing…lame!

Flags

user: 7004dbcef0f854e0fb401875f26ebd00

root: 04a8b36e1545a455393d067e772fe90e