JERRY
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjer7mC6Zj6Big_h3qF6uQhztWFU99x6bRlWUVVVaztJD5nL2y4dRUOV6UEkJ5A_GPc2cPI6JMYVQ74onZIeknzw5Vhurpmh8YELulxyDrZkNOyCEV6tyjk2naNoQK-bD47df9VA7O142il/s1600/screenshot.13.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Jerry, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Jerry's IP is 10.10.10.95:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmOO5Js_JJIjedA4vU51yIJWrcpKWp_DY9ubnQa-UHJyNCSvz__WtApEA4Qf5o1cnhay0M0VFHw8hDZ8B0iXHPruLSzYlZtHNkv-0Ve9NSTyNs6S-I0RR9J3wY2yz-kpr_0iVY3n6GDY8l/s400/screenshot.2.jpg)
- Scanning with Nmap, there is only one open port 8080:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFiiwkTQeHwRYeK0uYlWPQCJYuIMIh-Y92gnJ9pzyByIPe2t1Vx9ysuqZMLjfJ4-KcUvF0JP_UOv4IoGkWKikuZRcq6uYCVIUlq1ikQH6aOUukyn8zQhjBRFfBgYg94LaDp9DZfgBio-vM/s1600/screenshot.3.jpg)
- Scanning deeper:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNZ_zj15aH79BktiAzbolTbCsv4OTUcpO9iz8wD0dT4S1KDsHn8EIccW2GbLFjkC9L5V1OvSBQBCPCw7Z82J1lf-hf2jSkK2iXgU5l_bSTYpbk8c_-rR8d1iH5kGlcD36_C2zlgaYYyJRY/s1600/screenshot.4.jpg)
- So we have a web server running Apache-Coyote Tomcat 7.0.88 JSP engine 1.1 at port 8080.
- Connecting with the browser:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwNcGvGvax9PS7Ysr5xdQq-ag_W5G4rRJjSDXQ2MZSyZdupflBAT1NMdrCnFwZffhiX7dzs0SAGwhjdvAYqrdy-UH64a93VALlMIJKwEl49xIbAFlBbwD0MmpJROuWRA9YwMnBxNkS7UJP/s1600/screenshot.5.jpg)
- Clicking any tab the user is prompted with a login form:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit7YcBvcfXyfCD41QNeTPGzeazdD3Ua5BWuRkkZau2IRtQf6Op9InCOPqoYqMMaYdc8-yM_u3yOF1NxX_gpDXd0aMMCdSK7yZ_tmC5LiFMzKMjAP_oBUAm3Q9yU5U1bm5OXZu3MCAQ1K_D/s1600/screenshot.7.jpg)
- However, when clicking Cancel the answer is a 401 Unauthorized error web page that reveals credentials information like tomcat:s3cret
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbf56KFrOiGb7qNVgAK2yIr5zL1KBhuNjdGQoEg-QQI1kVEC11yjY6muYMv4c0nm29ky9BQp3STOnRy_NSv1fCY3Bs7_VJsqHP0P68yLVWWy40E_cPK_lhyphenhyphenaW5U7706nGggzGQVpUXDUYn/s1600/screenshot.6.jpg)
3 - EXPLOITATION
- Another way to find valid credentials would be to use Metasploit's auxiliary module tomcat_mgr_login:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjsOujrYuzQAQ-xaT6Zmkzhs4IMA6M2N72gAHUYnFSuTM96SCzAt_jFl4Ln44PzCTBNyV2fx6siPL6DL9bq5ZL3UVwtqWo0OusQIWC2e0o5630OChioZfas6MgT7OcRCqPRbZpKwwAyCHc/s1600/screenshot.16.jpg)
- Setting options:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7gwOIXBMh1VpEFNnaE-KeuZ9ifNusr-jmsF9NwXqSI-hsPR9Aoq5KBNvvBCn5oqKmBk9u34ySXNBdpiQXMYGpcSNqNO-uHmcvslf_7O52574p0XW1SBvG5lcCblBjQxGfIFSgKqG-k-Qc/s1600/screenshot.17.jpg)
- Running the module after a while finally same credentials than before are found:
.......................
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOldwqrLsgrlJ70nHRYIV1-BWhb5ZVbiSQzfn9iqGSopXex3a5LrXXZ7y3CeEfUY2t1QwfRkIeSnZDo4V_AcVAu8GhL2aqJ0iHrA5coVXBCIC5y0sG0INagGhk2KcxnVCWBv94u326j9pd/s1600/screenshot.18.jpg)
- Metasploit provides a module to exploit an Apache Tomcat server with an exposed "manager" application vulnerability :
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGkD-zwhV-XkAgvKgcjgGom5eNzLjjb_8hkHzPdebbe4NbGt_jfa8aAYXMnhZk6XwNSWVroWcAdxAwX1trNAMM4hVhhfD13cBdwC_2Gc5MJKrpQEwOWXmsnXE8do-xN75qzwp4Ppm8E8Sm/s1600/screenshot.14.jpg)
- Using this module:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9foexALpmW_aosVDb9YRFnGbSZ0Hl8h0-nObjKduKp8L-hYA3YwCzfNbp-9ln5gQgjbRUhABMkcd217QzsrqDg_mziQAfWsIoBO0PQgQjMmpMh8buoQ4K9aEvj8XcvP_KhNMvM8w2E0RO/s1600/screenshot.19.jpg)
- Setting options (using exposed credentials tomcat:s3cret) and running the exploit we get a Meterpreter session:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyeZPJk9oFw1nmvQDIQIRuNIWe_diFbJAzn6pE4c9mOFizTqu_PErFgKPPg1LpZYAyA849vMT9ldD2qM-H5uwuUqaRQMo2mgtzxHZ7v8gjAuUv_Er4aBhRPcxRDJ3L7xm5lgZ0sDPSJiG3/s1600/screenshot.9.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWQHMT7vuRJAA4kwPcs_zsvaouffiT5YCJCMVskAHCXEPKKhiFgf4Dexq5bWBkw3rgEAwVB9hGed8Cz89OcenFOGxLPTyAKoCi_fR6KZz550V3arVATlesGL0AEx1NsbuDD4PnHpEbN7So/s1600/screenshot.15.jpg)
- Spawning a shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy7v_ERJMguKki1wK0jOVMqac8SststN7qw-jt7G2Ce3CcD-Bso2V4sCIqYM6rhnRYCuPZXv6rvVMdB0W2npY6JFKtoh9I4MceAvATIDXrO9Aak1GAXkCqwbddDSbllfYfAvrQXGhOevag/s1600/screenshot.10.jpg)
4 - CAPTURING THE FLAGS
- In this case both flags are in the same text file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-lNORHJP8WtQA1Y2HtpfXKi_CFZdHRt_ajHtEuama1FVo_ZhAQORBMXoGO9p1q_luYGEznJeK7S3htLjNFv2sF8dbuzEzVgRhgyBA69EOrGRWU0OvKoLl9bTV1qG8n9EPquoa6Q40xNPL/s1600/screenshot.11.jpg)