# Jerry

## Jerry - 10.10.10.95

### Target Enumeration:

OS: Microsoft Windows Server 2012 R2 Standard

IP: 10.10.10.95

User: 7004dbcef0f854e0fb401875f26ebd00

Root: 04a8b36e1545a455393d067e772fe90e

### Vulnerability Exploited:

Default credentials set for tomcat manager running as system user.

### Exploiting the host:

Nmap

![](https://lh3.googleusercontent.com/kZa3pUg1yeIoListW-t4NN1-b1GovnhhdTj8YVqOpq79oGha8EXWgvXb3umyYXRQQ3-oL2C-_T1q8tbVIzm7egc6R_pstk9w38uH_w97FydMqd66z5wOWRVfN1K3nWZOKKnAOy60)

Dirb

<div align="left"><img src="https://lh6.googleusercontent.com/XkbrO4ANiEwOaXHhwwCrIdSUbspA6xh0ThWkmT3oRCpSb7BZNB9AXWLll7ZOUwBtcexdZ7E8KjjuF9xvd3LjI82RZIlfTcAYv3q45swb8QrEQWBuam9ojuQBcfWwRwdQKcMrTLhb" alt=""></div>

Default credentials for Tomcat login: tomcat: s3cret

<div align="left"><img src="https://lh6.googleusercontent.com/y0ha93LFXOtHNzznEMDdNkxh7fvxw9NuH1VDJ6srYJqInEuy5zRMw6SkLfkhveL5h7kJPmnp9jj8G_3nZyEVr8mwwt9zd7GFqiuasCx4qi7NgBncbxqM9Pk61qao4ywErOeuRG1m" alt=""></div>

Access the tomcat manager app

![](https://lh3.googleusercontent.com/J5zbTIMTYsX-6GFBhuPOkw7K_z5klzr88Zz3wMaQ8Oqir5lFTKWA3geCNHOI7oBySDktQR15jjUY1VSTROXj-KpYbH-BBe8JoRv2peIJvUy5P83Rl0QKyFYgIMD6vGebSpDalZPK)

Create shell

![](https://lh4.googleusercontent.com/UdRurdSBsfZhEujPeL6Xw-HeplYFuAK-0XAau0upDDZTkQOXTI6bKdfShemdaUQd1mKjrGREawb0oUnI7yz4LVk6E-fMhSvZw5U3cl9YIvY4jrOMmymOmRETHxtOc1ayeUiJfdfI)

Upload Shell via manager app

![](https://lh5.googleusercontent.com/5Ry6hDnOqjsgOCNJgMlAj9JnQUubJpEYmrwkroTLfWB3yLU0CoIrGqoYjwAiXW1KoVaoaViOkvt1c1KIH1TeEmDeH6X90iLs__ckL4ftr-DjdgRxYMmf6nOOwc35W6QjetmmVVl2)

Now extract the war file to find the name of the payload

<div align="left"><img src="https://lh3.googleusercontent.com/RYEY10LqZ3Wa9dJA0rSJeoarmLiU4xNFm3ZBgVRnq2P9Je1wh8Vu5hk49Z-3HCINB9yV39a4989IAnrXBhy0s7Cj6fmsQVUoXwC9llyynwgz95irJB88-uKU_rL-KD1xVJ-wfHd8" alt=""></div>

Open a nc listener on port 443 and access .jsp file via a web browser

<div align="left"><img src="https://lh4.googleusercontent.com/f6j-R2L0uq8F6EwlaaeayYrHbEcJBiyqaGj4juZ5iXahHXTX0CaEw9R4gTJTc75Yf6fzwPwnOk0g-4YzykDd5pMEgsAfkoN1X0LXVYPeoIWRnkL_A0jGk5ocx3TBYso4-ORgAJwX" alt=""></div>

Now you have an administrator shell

<div align="left"><img src="https://lh4.googleusercontent.com/_tpkgICa-Ej3gfFkAjm1PZtI16FnNLRWx27674R5-8HUENlf2xZKshYJP5OdXK6s7ovXLdyfIfLv05hVlZsR2G8eND4LJnymWDF5ubKVrmJlvSeDURCs0YGUNpKVNgIwrc56rnwn" alt=""></div>

Grab your flags

<div align="left"><img src="https://lh4.googleusercontent.com/rTnZoePCBhAvAVO9xvR6DR5IOwaVCgOEEDga6VNQRzUCfS_RZy2IpSggRIDPN9DTVbCIrpqrI3oq6IgBB42wUbtsLvHmoG63b37iBoQkVvvf4A-gTySRv_E5_S5-y-9ugMPMSqW5" alt=""></div>