Jerry — HackTheBox writeup

Another machine from the Mayor’s and TJnull’s OSCP list. This is an easy one which can be done in two different ways and we will take a look at both.

Let’s scan the IP we have with nmap to enumerate the ports and services.

We have port 8080 open and it’s running Apache Tomcat.

Going to the page shows the default page. Something we see is: “If you’re seeing this, you’ve successfully installed Tomcat. Congratulations!”. This means it’s probably a fresh install.

Choosing “Server Status”, “Manager App” or “Host Manager” will bring up a login popup and if you cancel out of it you will be redirected.

We see the credentials tomcat:s3cret

And you get logged in.

There is an option to deploy WAR files.

Generate a WAR payload with msfvenom.

Once that’s done you can select your shell and deploy it.

When it’s uploaded you will see it in the list of applications.

Reload it, fire up a netcat listener and then navigate to /shell.

You should receive a connection as NT AUTHORITY\SYSTEM.

Navigating to the Administrator folder we see a “flags” directory.

We get two flags at the price of one ¯\_(ツ)_/¯

You can also go through the box with metasploit. Start metasploit.

And search for “tomcat”

We see authenticated upload code execution. Select it and set the options.

I set the HttpPassword, HttpUsername, RHOSTS and RPORT. Run it and you should get a meterpreter shell.

We can pop a shell and we would be running as Administrator.

If you did not try and login in the manager page to find the credentials there is a metasploit module that would have found the username and password. It is “auxiliary/scanner/http/tomcat_mgr_login”. We select it and set the options. In this case it would be only the target IP.

Running the exploit tries to brute-force the login page.

Eventually it will find the password.

That was pretty much it for Jerry. I hope you enjoyed the machine and the writeup. Cya around.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store