Jerry HTB

Verified the connection with a ping then we began the nmap scan.

we see that port 8080 is open so immediately going to the website.

once at this website, the manager app is a login portal so we go to google to get default credentials we can use to get access

copy the credentials in a text file and we will use them later.

now configure burpsuite to intercept traffic

NOTE: Page won’t load once traffic is being captured. You can turn intercept off if need be.

here is the login page i was referring to earlier. we will attempt to login with the credentials we got from google

note that in line 10 its base64 encryption. lets forward to Decoderto verify this information

I attempted to login with the credentials tomcat for username and tomcat for password just as a test.

NOW LETS USE THOSE CREDENTIALS WE FOUND ON GOOGLE AND TRY TO BRUTEFORCE OUR WAY IN
BECAUSE THE CREDENTIALS WERE IN BASE64 WE HAVE TO TURN THESE CREDNETIALS INTO BASE64

take the space from inbetween the usernames and passed and put a colon just how it was in the decoder in burpsuite CTRL + H and replace all

you could manually go through each one or do this method doesn’t matter

example of turning one into base64

SUCCESSFULLY TURNED ALL THE OTHER CREDENTIALS INTO BASE64
FOR LOOP MEANING WE WILL DO SOMETHING UNTIL WE ARE FINSHED WITH EVERYTHING TO DO
FOR CRED IN TOMCAT.TXT WE TURN IT INTO $CRED AND CONVERT TO BASE64

BY PUTTING THAT add $ Character on the base64 that lets Burpsuite know that is what we are trying to replace

start the attack

Look at that we even verified it by sending it to the repeater and getting and okay 200
So now lets decode it

if you go back to that credential list we got from google you will see that tomcat:s3cret is in that list.

login successful.Similar to the ftp file upload and then execute we would have to use the same methodology here with a WAR file

google msfvenom cheatsheet and get a payload for WAR

save the payload

deploy the payload

execute the payload

We have a shell ( something to note: use the actual IP address don’t put tun0)

you could just type ‘2 for the price of 1.txt’ and get the flags but I didn’t know that atm so i created a meterpreter shell and did it from there.

meterpreter payload

After we created the msfvenom payload for the meterpreter shell we hosted a python server so we can get this payload on the apache machine

Go to the ip address of the machine to see all the files you just hosted on the python web server. ( If you ever did the gatekeeper room on THM you know this is a similar process to get that gatekeeper.exe file on the system.) ALSO another thing to note is that this is similar to uploading something to an ftp server in the devel box on HTB

once executed the sh.exe by just going to the website and including the directory we were able to get an meterpreter shell

navigate to the root.txt flag

In this machine we were able to discover that default credentials are bad. We also learned about burpsuite and how effective it is against web application pentesting. we were able to intercept traffic, decode base64, perform a brute force attack. Also we did a similar function with uploading a file to a server and downloading it as we did in the Devel box.