# Enumeration
## Gobuster
* Run a quick gobuster scan to see what other dirctories are available.
```
gobuster dir -u http:[Target IP]:8080 -w [Path to wordlist]
```
* It looks like we have quite a few options here to explore. The most interesting to me are the **/host-manager** and **/manager** directories.
```
/aux (Status: 200) [Size: 0]
/com2 (Status: 200) [Size: 0]
/com1 (Status: 200) [Size: 0]
/com3 (Status: 200) [Size: 0]
/con (Status: 200) [Size: 0]
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico (Status: 200) [Size: 21630]
/host-manager (Status: 302) [Size: 0] [--> /host-manager/]
/lpt2 (Status: 200) [Size: 0]
/lpt1 (Status: 200) [Size: 0]
/manager (Status: 302) [Size: 0] [--> /manager/]
/nul (Status: 200) [Size: 0]
/prn (Status: 200) [Size: 0]
```
### /aux
* Nothing interesting in source code.
{% code overflow="wrap" %}
```
Apache Tomcat/7.0.88 - Error report
HTTP Status 404 - /aux
type Status report
message/aux
descriptionThe requested resource is not available.
Apache Tomcat/7.0.88
```
{% endcode %}
### /com1, /com2, /com3, /con
* Nothing in source code either.
### /docs
* Lot's of good information here about the settings and set up of tomcat including default security settings.
* Nothing in the source code.
### /examples
This could be really good. This could be a means to uploading a reverse shell to the /examples directory and accessing it in here.
### /lpt1, /lpt2, nul, prn
* Nothing to note on any of these.
### /host-manager
* Looks like we get a login prompt. Let's see if we can find some default credentials for this since the rest of the web server isn't set up yet. We'll google to see if we come up with anything.
* I can also look at brute forcing this login as it is doesn't stop me from multiple attempts.
* I found quite a few answers on Google but the credentials `admin:admin` gave me some good information. I also found the following credentials that might work:
```
admin:admin
tomcat:tomcat
admin:[Nothing]
admin:s3cret
tomcat:s3cret
admin:tomcat
```
* This is really good information and I'll check out the `conf/tomcat-users.xml`
* Unfortunately, it looks like it doesn't exist.
* I came back to this and tried the credentials `tomcat:s3cret` and was able to gain access to the page.
* These credentials don't work for `/host-manager`
* Let's explore the place to possible upload a WAR file:
### /manager
* Let's check out this page now.
* It gives me the same sign-in page as `/host-manager` and the credentials `admin:admin` give me access. Unfortunately, this sends me to the same page as above, `/manager/html`.
* Running a gobuster scan on this directory gave me a couple of areas to check out.
```
gobuster dir -u http:[Target IP]:8080/manager -w [Path to wordlist]
```
* Only status can be accessed.
### /manager/status
* Now we have a lot of good information.
* Tomcat Version --> Apache Tomcat/7.0.88
* JVM Version --> 1.8.0\_171-b11
* JVM Vendor --> Oracle Corporation
* OS Name --> Windows Server 2012 R2
* OS Version --> 6.3
* OS Architecture --> amd64
* Hostname --> JERRY
* It also shows a port of 8009. However, when I try visiting that page it hangs up and doesn't show anything. Could potentially be something listening on that end.
* I found this possible exploit with [hacktricks](https://book.hacktricks.xyz/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp) that I might be able to use.
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/jerry-windows/enumeration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.