Greetings, everyone!
After a long, long break, I’ve decided to return to the wonderful world of blogging my experiences on Hack the Box! I’m currently knees deep in course material for Offensive Security’s OSCP certification, so I figured this would be a nice break from it! So without further ado, let’s get into it!
The box I’ve decided to attack for this post is called Jerry, and has the IP of 10.10.10.95. Let’s start off with an Nmap scan:
Only one port open: 8080. Well let’s check it out to see what we can find!
We’re brought to an Apache Tomcat configuration page! After poking around for a bit on the landing page, the tab “Manager App” looks the most promising. Let’s click on that tab and see what happens:
I did a bit of Googling here for a default login. The first credentials I tried (tomcat, tomcat) were incorrect, but it brought me to an interesting error screen.
Do you see what I see? Looks like the error screen is giving us credentials to try and login with! Let’s go ahead and try the given “tomcat/s3cret” creds:
Look at that, it worked!
After doing some enumeration on this page and research on Apache Tomcat vulnerabilities, it looks like we can upload a malicious WAR file to get a reverse shell, so let’s try it out. For this, we’ll create a shell using msfvenom:
Once the shell is created, we can upload it to the Tomcat server.
Now let’s open up a Netcat listener and launch the shell!
Awesome! Nothing better than getting a reverse shell with full System privileges right off the bat! Feels like we’re Le Champion of the hacking world!
Now let’s go grab those flags! We kind of lucked out here as both flags were located in one text file:
There you have it! And as an added bonus, here’s a little video I did of the walk-through! Enjoy!
Song – Frontier by Krale ft. Jasmina Lin & Jay Christopher