What do you say, Tom, can you catch me?
Starting with an Nmap scan we find 1 open port
# Nmap 7.93 scan initiated Wed Jan 24 01:18:54 2024 as: nmap -sV -sC -Pn -p 8080 -o nmap.txt jerry.htb
Nmap scan report for jerry.htb (10.129.145.195)
Host is up (0.097s latency).PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Wed Jan 24 01:19:06 2024 -- 1 IP address (1 host up) scanned in 12.54 seconds
Let’s try and see if the currently installed version of Apache Tomcat is vulnerable
$searchsploit Tomcat 7.0.88
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No ResultsFuzzing the address gave us a few directories to look at
$./ffuf -w /usr/share/wordlists/dirb/big.txt -u <http://jerry.htb:8080/FUZZ> -o ../fuzzed.txt /'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/…