Jerry

Machine Level: Easy OS: Windows

Scanning

I ran an aggressive nmap scan using the -A flag as well as the no ping probe.

ajread@aj-ubuntu:~/hackthebox$ nmap -A [REMOTE IP] -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-06 19:32 EST
Nmap scan report for [REMOTE IP]
Host is up (0.019s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.82 seconds

Initial Access

It looked like I need to go after Apache Tomcat. I found a metasploit module (auxiliary(scanner/http/tomcat_mgr_login)that could scan the tomcat manager on port 8080. With the scanner, it guessed various common usernames and passwords. It found one!

I was able to log in to the Apache Tomcat instance. Based on the server, it looked like I could upload a WAR file "to deploy." I created a shell using msfvenom and pointed back to my IP.

It looked like uploading a file would place it as an application on the server. I started a netcat listener on my local machine and clicked on the application within the Apache Tomcat server.

The WAR reverse shell dropped me into a privileged shell! I was able to find both the root and user flags.

PreviousIrkedNextLegacy

Last updated