HackTheBox - Jerry Writeup
Box author | mrh4sh
Nmap
As always, I’m gonna start with the Nmap scan with this IP address 10.10.10.95
|
|
One port just opens at 8080
and it is Apache Tomcat
. Well, this machine is straightforward. So, I’m gonna show, you how to exploit it with msfvenom
and web shell
. Let’s go.
Http (Apache Tomcat)
Let’s take a look at port 8080
which serve as Http.
It’s just an Apache Tomcat
default page after installations. So, I’ll try to play around. Then, I found the /manager/html
section upon clicking the Manager App
button. Also, I found the credentials on the error
page.
/manager/html
On this page, we can upload the WAR
file to the server. Then, I’m thinking maybe I can upload some sort of shell since this is an old version of Apache Tomcat
.
WebShell
With light googling, I found this webshell. So, I’m gonna create a new directory called xploit
. Then, download it with the wget
command in xploit
dir. However, we wanted in form of a WAR
file to be able to upload it. Let’s convert this .jsp
file into .WAR
file.
If the command successfully ran. There will be a new file created in your current directory. In this case, my xploit
directory. Now, Let’s upload the newly created web shell to the server. It went through and didn’t throw any errors.
To spawn the shell, just click the /webshell
path in the table.
WOW! we just became nt authority\system
user. Furthermore, you can upload the nishang reverse shell to get a proper shell.
MSFVenom
If you like to get a reverse shell straight away. We can use the msfvenom
payload and get the connection back through nc
. First, let’s create the payload
with this command; and make sure to start the listener as well.
|
|
The last step is, to upload it into this machine and double-click the /shell
. ET VOILA