My Tomcat Host Vulnhub Walkthrough

Hello everyone. This time I am sharing the walkthrough of a CTF machine designed by Akanksha Verma. This is a quick walkthrough of a vulnhub machine, My tomcat host. You can find this box on Infosec Warrior. According to there author it is a medium or intermediate level machine with good privilege escalation. So here we go.

My Tomcat Host: 1 walkthrough

Methodology applied :

Network Scanning
  • netdiscover
  • Nmap
Enumeration
  • Nmap
  • nikto
  • msfvenom
Privilege escalation
  • JAVA
  • sudo -l

Network Scanning

For scanning the network and obtaining the IP address of the box I used netdiscover.  As shown below

So the IP of the box is 192.168.2.15.  let’s start with Nmap scanning

 

Enumeration :

We can see that there is an open port number 8080. So let us have a look there

 

Good there a Tomcat Host on the box. For more information, I fired nikto.

Out of all the things, the most important to us is that we have credentials for tomcat manager application, tomcat: tomcat. and the directory /manager/html  page .

We were in the host and found there is a .war file upload option. So without wasting time I use msfvenom to generate a shell.war file

Where LHOST = listener host IP  && LPORT = listener port

And we have our payload ready, and we are all set to launch the attack. Upload this shell.war file and call it on the browser while having the listener on, on our machine

Got the shell of the user tomcat

Privilege Escalation:

Firstly I converted the shell into the interactive shell and I checked them for permissions on sudo command :

I see that we can run java command with sudo privileges. You can find the program from any place, I got it on stack overflow.

now I compile the code and executed it.

Boom !!! Eureka !!! I Got root …… and here is the flag.

 

Related Posts

Leave a comment

WhatsApp us