011#HTB - Jerry
Today’s room is Jerry from Hack the Box. I’ve been reading the room descriptions less lately because I realized that they often contain hints themselves, so for now on I will try to only read the description as a first hint when I get stuck.
I see an apache Tomcat server running on port 8080 and nothing else. I started a gobuster scan and pulled up the site in my browser. The page is just the default page but returning to our gobuster results we see there is a bit for us to explore.
The main ones of interest here are /host-manager and /manager. I googled default credentials for Tomcat and started going through a handful. When I tried admin/admin it seemed like I was getting logged in but it kicked me to a “403 Unauthorized” page. Looking at the page, it mentions some default credentials I hadn’t tried yet of tomcat/s3cret. I had an issue here though because now it didn’t want to present me with the login portal. I found the login prompt at /manager is working though. I tried tomcat/s3cret here are I was able to get in.
So here we are logged into Tomcat Web Application Manager. I looked around here but wasn’t really sure what to do so I googled “tomcat web application manager exploits”. This actually returned a bunch of articles from the past week, but seeing as this room was created in 2018 we know we can skip over those. That landed me on an article from Cyb0rgS that demonstrates a vulnerability we want to try.
This didn’t work for me though so I kept moving through the search results. This article from Rapid7 shows that there is a Metasploit module for Tomcat File Manager uploads so I spun up msf to give that a look.
I was surprised to see we are now NT AUTHORITY\SYSTEM! Now we just need to grab our two flags and get out of here. I first checked C:\Users but it was just Administrator and the Public user folder there. Since we are looking for a user flag I checked the Public folder but it was empty. Moving over to the Administrator’s desktop folder we see a file named “2 for the price of 1.txt”. As you can guess from the name, it had both our flags.
