Jerry HTB Writeup w/o Metasploit

Welcome! This next HTB machine were pwning is called Jerry. This is the third box were completing in preperation for the OSCP. This box is ranked easy so the process of exploiting this one should be straight forward.

Let’s get started.

Enumeration

First we run our nmap scan to see what services are running on the machine. Remember enumeration is the most important part of ethical hacking so we need to be thorough.

So I ran my initial nmap scan as

nmap -A 10.10.10.95

• -A Enable OS detection, version detection, script scanning, and traceroute.

Let’s try running nmap with the -Pn option.

nmap -Pn 10.10.10.40

• -Pn Treat all hosts as online
• 10.10.10.95 is the IP address

So it looks like the machine is running http-proxy on port 8080.

Before we move any further lets try to run a UDP scan to be thorough.

nmap -sU 10.10.10.40

• -sU UDP scan
• 10.10.10.95 is the IP address

Nothing interesting in our UDP scan results so lets see what we can find on port 8080 by pulling it up in the browser.

Looks like an apache server is running here. This is definitely interesting. This is the default page for the server which indicates they do not have anything running on the server yet. I’m going to see if I can login to the management portal from here.This is the default page so I’m hoping they never changed the default username/password for the server. I discovered the path to the management portal is listed under documentation on the webpage. (https://10.10.10.95:8080/manager/html).

After trying to login to the server I ran into a (401 unauthorized) error page which is the response I triggered when I tried to login with the wrong credentials. The error page also gave me the default username (tomcat) and password (s3cret) for the server. This is the result of an improper error handling vulnerability working out in our favor. I’m going to try to use these leaked credentials to login into the management portal.

It worked ! Great so now that I have access to the management portal I should be able to upload a reverse shell here. The management portal gives us the option to upload WAR and jsp files. I’m going to use msfvenom to create a WAR reverse shell and upload it to the server.

Reverse shell created. Now let’s upload it to the server by clicking “Browse..” and selecting the drkcalc.war file we created.

Okay now that the reverse shell has been uploaded to the server we are going to set up a listener and run the war file through the browser. This should allow us to pop a shell.

Ran the file through the browser.

Bet ! Our reverse shell worked and now we have a shell. Now I’m going to run “whoami” to see what level of privileges I have. If I have authority/system privileges then I will have access to the root and user flags on the machine and then I am officially finished here.

Great ! We’re done.

Lessons Learned

This machine was pretty simple. I ended up going down a rabbit hole initially trying to test webdav since the PUT method was allowed on the machine but then I discovered an easier way to get a shell. I learned there is more than one way to exploit a machine. That is what makes hacking an artform. I was able to use my creativity here to spawn a shell without using metasploit so my mission was accomplished.