Link: https://app.hackthebox.eu/machines/144

Enumeration

Our port scan reveals we only have one open service, Apache Tomcat web server running on port 8080.

Web Server

When going to the URL, it immediately takes us to a page about successful installation:

I clicked on the Manager App link and it immediately asks for a password. I opted to provide nothing and it takes us to a 401 forbidden page.

Inside of this page shows the credentials to a default tomcat user tomcat:s3cret :

These credentials appear to work for the Manager App but not for Host Manager.

The Server Status page also tells us our windows version, Windows Server 2012 R2:

I do some further research on this version of Tomcat and I come across an RCE via JSP Upload Bypass, part of the metasploit suite of tools

Attempt 1: JSP Upload Bypass

Let’s fire up Metasploit with msfconsole and see if this RCE will work for us. After running a search tomcat we can find the exploit under exploit/multi/http/tomcat_jsp_upload_bypass.

After setting the options and attempting to use each of the 4 payloads, it is unable to upload the payload.

Attempt 2: Manager Upload

From earlier, we were able to gain access to the manager page using the default credentials. On this page, we can see an upload:

After searching metasploit again, there are two more exploits available for the deploy and upload features. We will use exploit/multi/http/tomcat_mgr_upload for this, leave the default meterpreter java shell. Next i set the options for LHOST, RHOSTS, RPORT, HttpUsername, HttpPassword and then I exploit and we get a shell!

In the meterpreter shell, I run shell to drop into powershell and I can see we are running as a SYSTEM account!

We can navigate to the Administrator’s desktop and here we can find both flags.

Conclusion

This machine was pretty easy. I chose the wrong exploit at first, but after a little more digging, I found the file deployment in the manager’s page and found the associated exploit for that.