Hack The Box - Jerry Walkthrough without Metasploit
Last updated
Last updated
We will use the following nmap command to enumerate the box:
We can see that it only has one port open, the 8080 and that it is running Tomcat/Coyote JSP engine 1.1 if we go to 10.10.10.95:8080 we are presented with the following page:
Since what we have on port 8080 is accessible through web our next step in enumeration is Gobuster (or Dirbuster or any other web enumeration tool you prefer).
We will run Gobuster with the following flags:
-w: here we will specify the wordlist to use in our case the directory-list-2.3-medium.txt from dirbuster
-t: number of threads in our case since its a CTF environment we will use 40, but for other cases its better to run it with a lower number.
On this first scan we found an interesting directory /manager, but if we run the scan one more time, this time with a different wordlist this time common.txt from dirb/wordlists:
We can see that this time we have more results, but the important one in this case /manager is in both scans, there are multiple lists deppending on what we are looking for.
While trying to access the /manager page we are presented with this prompt to enter user and password:
With a quick google search we find a list of default usernames and passwords for Tomcat installations:
In our particular case the combination is:
user: tomcat
password: s3cret
Once we're in the Tomcat Manager Interface we can see at the bottom of the page the Server Information:
Most of it we already know, but now we also know it's running on a Windows Server 2012 R2 and its amd64
On top we can see the current Tomcat Applications list:
And what we're interested in, the option to deploy a WAR file:
We are going to upload a reverse tcp shell created with msfvenom
Now we just upload the war using the Tomcat web application:
Once we have deployed it we will be able to see it in the lists of applications:
Set up a netcat listener:
And now we just click on the /evil application on the tomcat applications list to get a shell back.