InfoSec LAB

Tabby_Web_8080

Created: 4 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache Tomcat

Webroot It’s the default page for a Tomcat installation It shows that the installed instance is tomcat9

Tomcat

Apache Tomcat (called “Tomcat” for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a “pure Java” HTTP web server environment in which Java code can also run. Thus it is a Java web application server, although not a full JEE application server.

While there are a lot of ways to go about when it comes to enumerating and exploiting a Tomcat instance, there are a few common key points to remember;

  • The conf/tomcat-users.xml file
    • specifies the Tomcat credentials
  • Roles
    • manager
      • manager-gui — Access to the HTML interface.
      • manager-status — Access to the “Server Status” page only.
      • manager-script — Access to the tools-friendly plain text interface that is described in this document, and to the “Server Status” page.
      • manager-jmx — Access to JMX proxy interface and to the “Server Status” page.
    • host-manager
      • host-manager — Grants access to the Tomcat Host Manager application, which is used for configuring virtual hosts.
    • admin
      • admin-gui: allows access to the HTML GUI and the status pages
      • admin-script: allows access to the text interface and the status pages
    • custom
  • The most commonly used Malicious WAR Deployment can be achieved after compromising a manager’s credential
  • Default Credentials

Default Structure

├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml
│   └── ROOT
│       └── WEB-INF
└── work
    └── Catalina
        └── localhost
  • The bin folder stores scripts and binaries needed to start and run a Tomcat server.
  • The conf folder stores various configuration files used by Tomcat.
  • The tomcat-users.xml file stores user credentials and their assigned roles.
  • The lib folder holds the various JAR files needed for the correct functioning of Tomcat.
  • The logs and temp folders store temporary log files.
  • The webapps folder is the default webroot of Tomcat and hosts all the applications. The work folder acts as a cache and is used to store data during runtime.
webapps/customapp
├── images
├── index.jsp
├── META-INF
│   └── context.xml
├── status.xsd
└── WEB-INF
    ├── jsp
    |   └── admin.jsp
    └── web.xml
    └── lib
    |    └── jdbc_drivers.jar
    └── classes
        └── AdminServlet.class

Each folder inside webapps is expected to have the following structure.

LFI

Both the /manager and /host-manager endpoints require authentication as expected

It may be possible to retrieve the tomcat-users.xml file to via LFI identified in the web application on the port 80

Referring back to the default installation page above, it would appear that the Tomcat instance is installed to the /usr/share/tomcat9 directory

Looking further online also reveals that the tomcat-users.xml file can be located at the /usr/share/tomcat9/etc directory while it also notes that it varies between versions

The /usr/share/tomcat9/etc/tomcat-users.xml file is located via LFI The credential, tomcat:$3cureP4s5w0rd123!, is defined here with admin-gui and manager-script roles

host-manager

Successfully authenticate to the /host-manager endpoint with the credential of the tomcat user Deployed applications can be monitored here although there is none for now

manager

Attempting to authenticate to the /manager endpoint fails with code 403 This is due to the manager role given to the tomcat user is manager-script

The manager-script role in Apache Tomcat grants access to the Tomcat Manager application via a text-based HTTP interface, making it suitable for automation and script-driven management of web applications whereas the manager-gui role allows access to the same Tomcat Manager application but through a web-based graphical user interface (GUI), facilitating manual management tasks via a web browser

As mentioned above, the usual attack vector with a Tomcat instance is Malicious WAR Deployment which requires a compromised manager credential with its specific role (manager-script or manager-gui) being IRRELEVANT Now that a manager credential has been compromised, I can move on to it

Interactive Graph View

Backlinks