Goal: Gain root privileges misconfigured Apache Tomcat/Coyote JSP engine 1.1 without msfconsole.
1. From the Nmap scan result, we found that port 80 is running which means, it is an HTTP service running on port 80, signaling that this target might be hosting some explorable web content.
2. To look at the contents ourselves, we can open a web browser of our choice and navigate to the target's IP address in the URL bar at the top of the window. This will automatically address the target's port 8180 for the client-server communication and load the web page's contents.
Tomcat Apache Default Page |
JSP stands for JavaServer Pages. All this means is, web pages accessed through port 8180 will be assembled by a Java web application.
3. We can see above that the Apache Tomcat default page is shown when we access the target machine IP through the browser.
This is a default page and it shows that Apache Tomcat is configured on the system. There are a lot of default functionalities that are used to configure Apache. I clicked on the “Tomcat Manager” option. It prompted for a username and password, as you can see below.
Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for JavaServer Pages (JSP).
A prompt appears on my screen that asks me to input the username and password details to gain access to the Tomcat Web Application Manager.
4. Since the Apache default page was running, it might be a good idea to try login in with Tomcat default username and password.
You can find the default credential by searching on the web. The results can be seen in the highlighted area of the following screenshot.
Default Credential for Apache Tomcat |
5. From the Search result, I have tried the username and password combinations and I got success on tomcat:tomcat combination:
Tomcat Web Application Manager |
6. Scroll down to see if there any upload option is available or not and you can find an upload option where you can deploy a WAR file. This is a good idea to take advantage of this to deploy a malicious war file to gain a reverse shell.
A WAR file (Web application ARchive) is a file used to distribute a collection of JAR-files, JavaServer Pages, Java Servlets, Java classes, XML files, tag libraries, static web pages (HTML and related files) and other resources that together constitute a web application.
7. To craft a malicious war file use the below command:
where,
- LHOST : Listing Host (if don't remember your IP run ifconfig vboxnet0)
- LPORT : Listining port (Give any port).
- -p : Specifies Payload
- hack.war : File name
8. A war file(hack.war) of 1098 bytes is created, and you can find it from /home directory. Once everything is fine run a listing host with the help of NetCat:
9. port 4444 is starting to list connections, once I run the hack.war file. To do this we have to upload the file to Tomcat Web Application Manager:
10. Once Deploy is successful you can locate the file from "Application Path". Click on /hack to get a connection to port 4444:
11. If everything is fine, you got a reverse shell connection on your Netcat:
12. To take a stable TTY shell on the target machine, run the below Python script:
13. Let's try to gain root access with the help of the sudo command:
Nmap Privilege Escalation
Nmap, known as Network Mapper, is used in scanning for network and OS services detection. However, if a misconfigured Linux terminal is used with “sudo” or “administrator” privileges can lead to a privilege escalation.As you can see the Privilege Escalation was Successfully executed.