Jerry Walkthrough
Hello Everyone! Today we have another machine from HackTheBox βJerryβ, we will deal with this machine by using metasploit and by using manual exploitation, letβs see the machineβs info
Okay, letβs get startedβ¦
DNS Enumeration
At the first we will scan the IP of the machine 10.10.10.95 by nmap to know the open ports, service running, OS info and other info so the command will be
nmap -A -T4 -oG jerry.gnmap 10.10.10.95 and the results as you see here
You should note something wired, tomcat at normal doesnβt return the version but here it does so itβs something we may take it as entry point.
The second thing you should note is the port 8080 is open so letβs try to open it on the browser 10.10.10.95:8080
You will find the version of the server as we found before by nmap so note these informations
Iβve used exploit-db,rapid7 and searchsploit to search for CVEβs related to these keywords (tomcat / coyote / tomcat 7.0.88) and the results are recommending the same CVE
This CVE is to manage the manager or the admin to upload shell instead of war files so from these informations we need to be the manager or the admin (have an admin account) and then use Metasploite or Manual exploitation to open reverse shell. Letβs try first to get admin account
Website Enumeration
In this step we need to brute-force the directories trying to find any leaked data containing account credentials, so we will use fuff or dirbuster or dirsearch or gobuster or metasploit modules
Iβll use metasploit for this step
Iβve used scanner/http/dir_scanner to discover the hidden directories and as you can see thereβs nothing useful because the/manager directory for example need authenticated users.
Letβs search for tomcat to see if we can find another exploitation search tomcat
As you can see all these exploitation asks you to be authenticated user, so we will use the /tomcat/mgr/login auxiliary module to brute-force the user and password and edit the default options as follows
the resultsβ¦
We have a successful login here with username:tomcat & password:s3cret
Iβve tried to login to the 10.10.10.95:8080/manager with the upper credentials and itβs worked
1. Using Metasploit exploitations
we will use exploitation module multi/http/tomcat_mgr_upload and edit the options with the username and the password as follows here
then type run
Thatβs great, we have shell now. Letβs see our role
Good weβre admin, letβs search for the flags
Here we will find the 2 flags in one place in the Administrator directory
Congrats β€ letβs try the second method
2. Manual ExploitationβββWithout Metasploit
Metasploitwe can upload a war file as we can see here in the manager page select WAR file to upload
So we will generate a shell by using msfvenom as follows
And hereβs all the payloads which related to JAVA
Good now we have a reverse shell shell.war. Letβs try to upload it and then access it from the link 10.10.10.95:8080/shell.war and at the same time open nc to listen for the port 443 as follows and as you can see itβs worked :)
Here we finished β€
Congrats β€
Stay in touch :)
Last updated