Hack The Box — Jerry Writeup without Metasploit

Jerry is a relatively easy machine that can be exploited with less effort and doesn’t require privilege escalation.

Enumeration

Started with usual Nmap scan

Only HTTP port (8080) was open. the banner said that Tomcat/ Coyote JSP engine 1.1 was running.

Accessed the WebPage.

Admin login page can be accessed via Manger App.

It’s asking for admin username and the password.There are a few common credentials publicly available. In this case it was tomcat:s3cret

There is a cool exploit that can be easily used if you know the admin credential to login to Tomcat Web Application Manager.

Getting initial foothold and privilege escalation

The exploit can be exploited as below. The next thing you know is that you are in the machine with the root privileges.

Lessons learned

The Tomcat port was open and the administrator has used the default credentials for Tomcat Web Application Manager. Default credentials should have been used due to the fact that they are publicly available.

Tomcat shouldn’t have been given the system privileges permission. Instead, the user account with low privileges should have been setup and assigned to be used with Tomcat. So in case of a system compromise, the attacker needs to find another way to escalate privileges if the Tomcat is running with an under privilege user account.

11 boxes are down.