Part 1: User

The information we start with is that it’s IP is 10.10.10.95, and it runs Windows. Of course, this is hardly enough information! So we use nmap to see what this machine has to offer.

nmap -sV 10.10.10.95

We see that it’s running Apache Tomcat on port 8080, so our first instinct would be to visit the page.

Apache Tomcat/7.0.88

Manager App sounds interesting!

Authentication Required :(

Looks like we need login information, or we could just try ‘admin’ and ‘admin’?

403 Access Denied

Well, something happened.

If we have a read of this, we can see it’s showing us how to set up an account that can access the Manager App, with the username ‘tomcat’ and the password ‘s3cret’. So we tried ‘admin’ and ‘admin’, it didn’t work, but we are presented with new login credentials now, so let’s try them!

However we’re already logged in, so I quickly close Firefox and open it again, this will wipe the cookies as we’re in Private Browsing mode, thus logging us out. We then log back in with the new credentials and…

Tomcat Web Application Manager

This looks promising! Let’s have a gander at what we can do.

Interesting names…

Some of these names don’t look standard, indicating that this may be our way to getting user access.

File upload? I smell an exploit…

Scrolling further down, we see the reason for the strangely named apps. There’s an option to upload a WAR file, which is basically a JAR file for web apps. This sounds like our vulnerability to me, so we go to our best friend Google.

Looking for some RCE

After chucking some random words together, we come across an exploit that makes use of authenticated upload, so the next step is to load up msfconsole

Side note: The module I’m using is multi/http/tomcat_mgr_upload which uses a POST to /manager/html/upload to get the payload on the server, there is another similar module called multi/http/tomcat_mgr_deploy which uses a PUT to upload the payload, from testing the deploy payload has given limited success, so I’d suggest using the upload payload.

We’re gonna need a full-screen terminal this time!

We set our exploit by typing in use multi/http/tomcat_mgr_upload .

We then configure our exploit with the login credentials, the host, the payload, and the target. Once that is all set up all we need to do type is exploit , fingers-crossed!

Ta-da!

I drop into a shell, and… what? I guess we’re already System, that was easy!

2 flags for the price of 1!