There’s a Tomcat installation with a default password set for the Web Application Manager. I’ll utilize this to upload a malicious WAR file, enabling the retrieval of a system shell and granting access to both flags

1. Enumerating services and ports using tools like nmap


Screenshot 04 06 2024 13.21.42

  1. sudo: This is a command used in Linux to execute another command with superuser privileges, typically requiring a password. Superuser privileges provide unrestricted access to system resources, allowing the command to perform actions that regular users cannot.
  2. nmap: This is a popular network scanning tool used to discover hosts and services on a computer network. It sends specially crafted packets to the target network and analyzes the responses to determine which hosts are available and what services are running on them.
  3. -p-: This option specifies that nmap should scan all TCP ports. The hyphen (-) represents a range of ports, in this case, it means scanning all ports from port 1 to port 65535. This is also known as a “full port scan”.
  4. --min-rate 10000: This option sets the minimum rate at which packets are sent during the scan. In this case, it specifies a minimum rate of 10,000 packets per second. This can help to speed up the scanning process but may also increase network traffic and potentially trigger intrusion detection systems.
  5. -sC: This option enables the default script scan. It runs a set of scripts against the target host to gather additional information about the services and applications running on the open ports. These scripts are designed to detect common vulnerabilities and provide more detailed information about the services.
  6. -sV: This option enables version detection. It instructs nmap to attempt to determine the version of the services running on the open ports. Knowing the version of a service can help identify vulnerabilities associated with that particular version.
  • Port 8080: It is open and running a service identified as “http” which is likely Apache Tomcat/Coyote JSP Engine 1.1.
    • http-favicon: The favicon associated with the HTTP service is indicative of Apache Tomcat.
    • http-server-header: The server header reveals “Apache-Coyote/1.1”, further confirming the presence of Apache Tomcat/Coyote JSP Engine 1.1.
    • http-open-proxy: This suggests that there may be an open proxy configured on the HTTP service.
    • http-title: The title of the web page served by Apache Tomcat is “Apache Tomcat/7.0.88”, indicating the specific version of Apache Tomcat installed.

2. Gathering information about the target machine and its configurations


Screenshot 04 06 2024 15.47.32

Screenshot 04 06 2024 16.10.17

3. Create war File

Let’s explore our current access and consider our options. It appears that we have the capability to upload WAR files to the server. After conducting a brief search on Google, I came across a tutorial on creating reverse shell WAR files in Metasploit. Without delay, let’s proceed with the next steps

Screenshot 04 06 2024 17.16.34

Screenshot 04 06 2024 17.18.33

4. Leveraging privilege escalation techniques

“NT AUTHORITY\SYSTEM” refers to a built-in Windows user account that represents the system itself. It is one of the most privileged user accounts in the Windows operating system. When a process runs under the context of “NT AUTHORITY\SYSTEM”, it has full access to system resources and privileges.

Screenshot 04 06 2024 15.53.00

Here’s what it represents:

  • NT AUTHORITY: This is the domain or authority under which the user account is defined. In this case, “NT AUTHORITY” is a built-in Windows authority that manages system-level security principals.
  • SYSTEM: This is the username within the “NT AUTHORITY” domain. The “SYSTEM” account represents the operating system itself. Processes running under this account have the highest level of privileges on the system.

“NT AUTHORITY\SYSTEM” is commonly used for system-level processes, services, and tasks that require elevated privileges, such as critical system services, drivers, and background processes. It is also used by certain Windows services and processes, including those associated with core operating system functions.

When you see “NT AUTHORITY\SYSTEM” associated with a process or activity, it typically indicates that the operation is being performed with the highest level of privileges and authority within the Windows environment.

Screenshot 04 06 2024 15.44.45

wmic qfe

The wmic qfe command is used in Windows systems to query the list of installed Windows updates (also known as “Quick Fix Engineering” updates). This command displays information about the installed updates, including the HotFixID, Description, InstalledOn (date), and other relevant details.

Screenshot 04 06 2024 15.50.49

The whoami command provides information about the current user context under which you are running. Additionally, you can utilize various switches with whoami, such as /priv and /groups, to gather more detailed information regarding the privileges granted to your user account and the security groups to which you belong.

Screenshot 04 06 2024 16.04.45

Screenshot 04 06 2024 16.05.00


Privilege escalation in the Windows operating system occurs when users gain access to more system resources or permissions than they were originally granted. This unauthorized elevation of privileges enables users to perform actions that they would not normally be able to execute. This typically involves transitioning from a lower-level user account to a higher-level one, such as the administrator or the built-in “NT AUTHORITY/SYSTEM” account.

read more about HACK THE BOX

Written by 

Related posts

error: Content is protected !!