# Jerry Walkthrough

Hello Everyone! Today we have another machine from HackTheBox “Jerry”, we will deal with this machine by using `metasploit` and by using manual exploitation, let’s see the machine’s info

<figure><img src="https://cdn-images-1.medium.com/max/800/1*889PCePWDYpJAfcUXSWpSQ.png" alt=""><figcaption></figcaption></figure>

Okay, let’s get started…

##

## **DNS Enumeration**

At the first we will scan the IP of the machine `10.10.10.95` by `nmap` to know the open ports, service running, OS info and other info so the command will be

`nmap -A -T4 -oG jerry.gnmap 10.10.10.95` and the results as you see here

<figure><img src="https://cdn-images-1.medium.com/max/800/1*72R9O9-AsP7IdqpVRMLFnQ.png" alt=""><figcaption></figcaption></figure>

You should note something wired, tomcat at normal doesn’t return the version but here it does so it’s something we may take it as entry point.

The second thing you should note is the port 8080 is open so let’s try to open it on the browser `10.10.10.95:8080`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*ZB65VwVJLRkeyxSw1YDsKg.png" alt=""><figcaption></figcaption></figure>

You will find the version of the server as we found before by `nmap` so note these informations

I’ve used `exploit-db,rapid7 and searchsploit` to search for CVE’s related to these keywords (tomcat / coyote / tomcat 7.0.88) and the results are recommending the same CVE

<figure><img src="https://cdn-images-1.medium.com/max/800/1*nHXKK-B4hXj1_2VtrFgNbw.png" alt=""><figcaption></figcaption></figure>

This CVE is to manage the manager or the admin to upload shell instead of war files so from these informations we need to be the manager or the admin (have an admin account) and then use `Metasploite` or `Manual exploitation` to open reverse shell. Let’s try first to get admin account

## **Website Enumeration**

In this step we need to brute-force the directories trying to find any leaked data containing account credentials, so we will use `fuff or dirbuster or dirsearch or gobuster or metasploit modules`

I’ll use `metasploit` for this step

<figure><img src="https://cdn-images-1.medium.com/max/800/1*xPUGyKirLXapHZXYbyreUw.png" alt=""><figcaption></figcaption></figure>

I’ve used `scanner/http/dir_scanner` to discover the hidden directories and as you can see there’s nothing useful because the`/manager` directory for example need authenticated users.

Let’s search for tomcat to see if we can find another exploitation `search tomcat`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*M7qkkDh4jUz1MKWd72yrAA.png" alt=""><figcaption></figcaption></figure>

As you can see all these exploitation asks you to be authenticated user, so we will use the `/tomcat/mgr/login` auxiliary module to brute-force the user and password and edit the default options as follows

<figure><img src="https://cdn-images-1.medium.com/max/800/1*_N0s87ElxAa49zEg5bPa9g.png" alt=""><figcaption></figcaption></figure>

the results…

<figure><img src="https://cdn-images-1.medium.com/max/800/1*BJ7WroUvhZxkm4zSlYZgKA.png" alt=""><figcaption></figcaption></figure>

We have a successful login here with **`username`**`:tomcat &`` `**`password`**`:s3cret`

I’ve tried to login to the `10.10.10.95:8080/manager` with the upper credentials and it’s worked

<figure><img src="https://cdn-images-1.medium.com/max/800/1*7pAPo5SVE5oGG0_cWiMAzw.png" alt=""><figcaption></figcaption></figure>

### **1. Using Metasploit exploitations**

we will use exploitation module `multi/http/tomcat_mgr_upload` and edit the options with the username and the password as follows here

<figure><img src="https://cdn-images-1.medium.com/max/800/1*tezJDPlVZ5aH8sys5mgl2A.png" alt=""><figcaption></figcaption></figure>

then type `run`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*x1yKMO4JVaz0Es9D95f_fw.png" alt=""><figcaption></figcaption></figure>

That’s great, we have shell now. Let’s see our role

<figure><img src="https://cdn-images-1.medium.com/max/800/1*bJvB8-nchGHHHBIixqqzSQ.png" alt=""><figcaption></figcaption></figure>

Good we’re admin, let’s search for the flags

<figure><img src="https://cdn-images-1.medium.com/max/800/1*ir3siQWc53KEG1P1kkKziw.png" alt=""><figcaption></figcaption></figure>

Here we will find the 2 flags in one place in the `Administrator` directory

Congrats ❤ let’s try the second method

### **2. Manual Exploitation — Without `Metasploit`**

we can upload a war file as we can see here in the manager page `select WAR file to upload`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*hJ1GYpwNfRnU1NQ8pxXVMg.png" alt=""><figcaption></figcaption></figure>

So we will generate a shell by using `msfvenom` as follows

<figure><img src="https://cdn-images-1.medium.com/max/800/1*vEwVdZ5WnvwRYcolua2Qyg.png" alt=""><figcaption></figcaption></figure>

And here’s all the payloads which related to `JAVA`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*jJ7Qi7_YjJfRF16vydi96Q.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*mxbf5qJ23z2xTLYowlXX6w.png" alt=""><figcaption></figcaption></figure>

Good now we have a reverse shell `shell.war.` Let’s try to upload it and then access it from the link `10.10.10.95:8080/shell.war` and at the same time open `nc` to listen for the port `443` as follows and as you can see it’s worked :)

<figure><img src="https://cdn-images-1.medium.com/max/800/1*O65RwON-O5HQ7kDnw8SPFg.png" alt=""><figcaption></figcaption></figure>

Here we finished ❤

**Congrats ❤**

**Stay in touch :)**

[LinkedIn](https://www.linkedin.com/in/eslam-akl-6b998614a/) | [GitHub](https://github.com/eslam3kl) | [Twitter](https://twitter.com/eslam3kll)