Ziemni

Ziemni

Student, Pentester, CTF Player, HackTheBox Addict

[HackTheBox] Jerry

Tomcat is a very popular “web container” software. This box teaches one of the vulnerabilities that can be used for RCE using Tomcat’s manager.

Summary

  • Enumerate machine’s services.
  • Exploit Tomcat’s upload vulnerability to get a shell as nt authority\system.

Recon

Port Scan

nmap -Pn -T4 -p- -sV 10.10.10.95

PORT     STATE SERVICE REASON  VERSION
8080/tcp open  http    syn-ack Apache Tomcat/Coyote JSP engine 1.1

Tomcat

Tomcat is running on port 8080. We can check if it is using default credentials using Metasploit’s module scanner/http/tomcat_mgr_login.

...
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
...

Exploit

Using those credentials we can use multi/http/tomcat_mgr_upload to get a shell on the system.

Tomcat is running as nt authority\system on this machine, which means the box is done…