This is VulnNet: dotjar from THM. It’s medium rated, and says:
A new machine means a new web implementation. Foothold should be rather easy-going as long as you connect the dots. Privilege escalation might depend on your Java knowledge, don’t worry though, I’m rather a person who avoids Java and I still had a lot of fun working on this machine.
Ports
8009 and 8080 only. Port 8009 is Apache Jserv (Protocol v1.3); this will be important.
8080
We have Apache Tomcat, which I’ve seen in several CTFs now and usually with default credentials. However, that isn’t the case today - I tried a few; nothing. Now what?
8009
Apache Jserv (Protocol v1.3) is vulnerable to the Ghostcat LFI vulnerability, which is also explained here. There is an exploit on github, and we can use it as the Medium blog describes, firstly to read WEB-INF, and then:
With our credentials, we can log in - but notice the line above:
GUI access is disabled for security reasons.
So it’s CLI all the way.
Generate a payload with MSFVENOM
And send it up the line:
Start a listener and visit http://10.10.124.0:8080/hack/ in the browser (or curl I guess):
Boom, we’re on.
Privesc
It takes some enumeration, but we find a hash for our next user:
From this there is a hash you can crack with John, and su to jdk-admin.
Root
Okay so we need an executable JAR file to run; I want one to give me a reverse shell. I get it from here, but it’s for Windows. Nevermind, just change this:
Process p = new ProcessBuilder(“C:\Windows\System32\cmd.exe”).redirectErrorStream(true).start();
to this:
Process p = new ProcessBuilder(“/bin/sh”).redirectErrorStream(true).start();
We need to compile it and turn it into an executable JAR:
Note I had a newer JDK than the box and it wouldn’t work, hence the –release 8 option. Upload the file and run it (yeah, it took me a few goes):