Jerry — HTB Walkthrough

Easy on deploy.

ENUMERATION

Nmap Scan

PORT 8080 Enumeration

Visiting website it shows us

Visiting links to manager , host and web-app. All were password protected.

Ran gobuster and it revealed directories

1) docs : containing tomcat 7.0.88 documentation

2) manager : manager page but password protected.

3)examples: to shows servlet examples

All three were of no use so I decided to run a nikto scan which says

A default account page is found . Let’s enumerate it, using username : tomcat password : s3cret

It shows tomcat webapp management — manager’s page

Enumerating it shows us option to deploy a war file

EXPLOITATION

Let’s create a malicious war file using msfvenom and upload it.

Deploying war file

After deploying it we see, it is shown in list of deployed apps.

Open netcat listener on your machine at port 1234 and visit the shell

Woahh!! Got the shell

There was no need for escalating privileges as we were already system

So going to Administrator we find our flags

ROOTED !!!!!