Welcome to HTB JERRY!
This box is fairly straightforward and not too much in terms of tricks or curveballs. I absolutely love this box as a starter machine because albeit simple, it still highlights some basic fundamentals as hackers we should all be aware of.
As always to start off by enumerating our target IP with an nmap scan:
nmap -sC -sV -Pn -T4 [TARGET_IP] -oA HTB_Jerry
Here’s a breakdown of the nmap switches I used:
nmap = the tool -sC = equivalenet to --script=default (optional) -sV = probes open ports to determine services running -Pn = skips host discovery, treats them all as their online -T4 = speeds up the scan [TARGET_IP] = the IP address of the target machine -oA = output the results into the 3 major formats HTB_Jerry = filename I gave to the three files outputted by -oA
So clearly the only nugget of information we got is that there is a webserver running on port 8080. Specifically its running Apache Tomcat/Coyote JSP engine 1.1
Let’s visit this web address and see what we can find. Maybe an admin panel or something of the sorts.
Okay, now I have never used Apache Tomcat but regardless there are few things here, that Manager App looks interesting. Let’s click it and see.
Now this is where I needed to take a step back. I remember when I first did this box, I came across this login screen and started thinking things like brute force, hydra, rockyou.txt, SecLists and thought to myself where the hell do I start!?
Well lets slow it down and enter some text like admin:admin.
Access Denied! Dammit. But here’s an oppurtunity for another great lesson. Always read your error messages! This one in particular gives you a huge clue as to what the password may be.
But lets say for a moment we didn’t read it or maybe we missed it or maybe it was a different page that just said “Access Denied”. Lets go to google and search for some common default credentials for this version of Apache Tomcat.
First hit looks interesting.
And look at that! This entry looks awfully familiar doesn’t it? It was the same one we got on the Access Denied page. Lets clear our cookies, refresh the page and try this default user/pass combo.
Bingo! And we’re in.
Now is a good time to scroll this page and see if anything in this admin panel looks of interest to us.
Hmm…upload a file? This is definitely interesting. As attackers/pentesters/whatchmacallits anytime we have an opportunity to upload a file is a big deal. Maybe we can upload a file, in this case a WAR file and we can get ourselves a reverse shell?
Now I don’t even know what a WAR file is but it doesn’t matter. All I know is that I can upload one.
Lets hit the google and see what we can find regarding Reverse Shells and WAR files.
A couple of results regarding WAR backdoors and malicious WAR upload files. I think we’re on the right track here!
Lets click on the first one and see what we got.
And in the middle of the page look what we got. A how-to on generating a .WAR Backdoor.
Lets see if it works.
Here’s a breakdown of the syntax:
-p = payload name LHOST= YOUR IP LPORT= port you will want to listen on with your netcat listener -f = file format > [filename] = name of the payload/file you are creating
Well the syntax looks correct! A payload was definitely created.
And if you want to be super hack-ish you could have named this exploit.war to look cool but for me shell.war was cool enough.
Now when you’re dealing with reverse shells, you going to have familiarize yourself with something called netcat.
Netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP.
In other words netcat lets us issue commands via a reverse shell.
Now lets upload this WAR file to our Apache Tomcat Server.
Now before you travel to this page, lets head back to our terminal and open up that netcat listener we mentioned earlier.
For this I like to use a fresh terminal.
So now we are listening on port 4444. Lets click on the shell link in our server homepage or even travel to [TARGET_IP]:PORT/shell
Boom! And we have a connnection.
Now one thing you’ll notice right away is that commands like ‘ls’ and ‘pwd’ will not work here. Why? Because if you remember, this is a Windows machine. Windows command line uses different commands than a linux machine but no worries, Google is your friend and you can just google something like “how to ‘ls’ in Windows Command Line” and they will tell its simply ‘dir’.
Let’s step through on command line:
Here we use dir to list our directory. Not ‘ls’.
We still use ‘cd ..’ here as if we were in a linux machine. And we can see there is a Users Directory. Lets start there.
Administrator is always a great place to look at
When it comes to Windows, I like the idea of starting on the Desktop and working our way through the system from there.
Look a flags folder! Let’s see what is inside.
Bingo! And notice we need to use the ‘type’ command here not the ‘get’ or the ‘cat’ command.
And there you have it, two flags for the price of one. Always a good feeling when you can get the root flag and user flag in one shot.
So all in all, HTB Jerry was a fairly easy box but it highlighted a few core fundamentals :
- Always check for default credentials
- Don’t fluster yourself if you don’t know what a certain file type does
- Google is your friend