Hack The Box

HackTheBox “Jerry” Walkthrough

Jerry, an easy-level Windows OS machine on HackTheBox, presented a favorable level of difficulty. The initial task involved leveraging default credentials to gain access to the Tomcat Web Application Manager. By…

HackTheBox “Jerry” Walkthrough, figure 1

Jerry, an easy-level Windows OS machine on HackTheBox, presented a favorable level of difficulty. The initial task involved leveraging default credentials to gain access to the Tomcat Web Application Manager. By deploying a malicious .war file containing a Java reverse shell, a successful reverse shell connection was established with a SYSTEM shell.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Jerry” Walkthrough, figure 2

Visit the app on port 8080.

HackTheBox “Jerry” Walkthrough, figure 3

Upon accessing the site, a standard installation of the Tomcat Web Application is evident. Clicking on the “Manager App” option triggers a pop-up login prompt.

HackTheBox “Jerry” Walkthrough, figure 4

Upon cancellation, redirection occurs to the “/manager/html” web directory, which prominently displays a specific username and password.

HackTheBox “Jerry” Walkthrough, figure 5

After refreshing the page, the login prompt reappears, and we will enter the recently exposed credentials: Username: tomcat Password: s3cret.

HackTheBox “Jerry” Walkthrough, figure 6

Upon successful login, you will be directed to the “Tomcat Web Application Manager” page. While scrolling down, a noteworthy finding emerges. Within the “Deploy” section, there is an opportunity to upload a .war file.

We will generate a reverse shell WAR file using msfvenom and as per the structure here.

HackTheBox “Jerry” Walkthrough, figure 7

Upload the file to the web application and proceed to deploy it.

HackTheBox “Jerry” Walkthrough, figure 8

Next, we will observe the payload of the war file listed in the Applications section.

Start a listener.

HackTheBox “Jerry” Walkthrough, figure 9

Click on “/shell” in the applications section to trigger the reverse shell payload.

HackTheBox “Jerry” Walkthrough, figure 10

And we get a SYSTEM shell.

Cheers.