Infosec Martinez

View Original

WAR is Shell


This machine is as simple as it gets. This machines took me a number of days to complete due to my busy schedule, but once you try this machine you too will think the same. 

I start off with a nmap scan with version, to help me out with enumerating the services

-sV for version of services

I can quickly find that it's running an Apache Tomcat server. I visit the site on 8080 and find that this it's default page which tells me that this maybe a misconfigured server...

Default page for Apache Tomcat

I continue my enumeration with a full dirb scan of the site and I find a couple of interesting and I dig deeper...

"manager" page as a known credential finder on metasploit

I found that both the /host-manager and /manager pages have a login page, after researching I find a script that I can use to find credentials.

Like I said before on my blog post I try to keep metasploit to a minimum when I'm doing HTB machines. This forces me to think and dig deeper on manually exploiting systems. With that being said I still end up using a script in metasploit to find credentials using the scanner/http/tomcat_mgr_login

Make sure to add the appropriate options, such as RHOSTS and RPORT

SUCCESS!

After finding the credentials for the manager page we proceed to the dashboard for Apache

You can see some other users upload certain files...

I take a look around here on this page and find a upload section for .WAR files. Also other users have tried this machine and have left files uploaded in the applications section which leads me to believe that others have uploaded a shell. 

Upload a shell is your best friend!

After doing some research I found that you can upload a .WAR file. I created a payload using msfvenom

I now need to have a listener to listen on the specified port I gave in the shell, on my attacking machine I run an instance of netcat in terminal and then upload the created shell, and finally navigate to the shell "application" in the web browser

I didn't do what should be done once you get a shell, always get information of the system, and users just incase you need escalate privilages or pivot

After I've gotten access it's time to rummage through the directories and find our user and root hash. I eventually find a text file in the C:\Users\Administration\Desktop\flags\ called "2 for the price of 1.txt". Reading this file will give me both the user and root hashes for some sweet sweet points! 

This machine was quiet easy, but I feel like this is definitely a real world situation. A misconfigured server can easily be compromised using similar tactics as the one shown above. Even with a little stealth (like not using the metasploit script) someone could get login information quieter than I did.