![]() Necessary cookies are absolutely essential for the website to function properly. Simple mitigations include setting up a strong password and creating a dedicated low-privilege service account to run the application. These two flaws are unfortunately common, and I see them routinely in real-world environments. ![]() To do this, I took advantage of two critical security flaws: first, weak administrative credentials for a web application, and second, the fact that this web application was running as a over-privileged system-level user. I fully compromised the Jerry machine in less than two minutes. Upon further review, I noticed a bug in the Metasploit code related to the undeploy logic, and submitted a patch to the Metasploit git repo to fix it. As part of doing this, I discovered that the Metasploit module I ran didn’t automatically undeploy the application, despite claiming to have done so. In the case of the Tomcat exploit I ran using Metasploit, it was important to me to undeploy the malicious Java application that I had deployed and run. Responsible pentesters try not to leave traces of their activity lying around. The whoami command showed that I was running as NT AUTHORITY\SYSTEM, meaning the machine was fully compromised through the single tomcat user credential. Within that reverse shell, I executed commands on the target host. I used this module to deploy a malicious Java application that connected back to my own host and gave me a reverse shell. The Metasploit framework contains a module, exploit/multi/http/tomcat_mgr_upload, that automates the process of generating a malicious WAR file and uploading it to a Tomcat server, given the username and password for a valid user. WAR files are essentially zip files containing Java code that adhere to a standard format. To deploy a Java application within Tomcat, it must be first packaged up as a WAR (Web Application Archive) file. The malicious Java application can be used to execute arbitrary code within the Tomcat process running on the host. An attacker can abuse this functionality to deploy a malicious Java application. Users can deploy new applications, start them, stop them, and undeploy them. The Manager application enables users to manage the life cycle of Java web applications run by the Tomcat web server. This attacker technique, abusing admin-level web application privileges, is not really a vulnerability or misconfiguration - it’s simply the byproduct of having admin-level access in the first place. Attackers are well aware of different types of web applications and what kind of features they expose that can be abused to access the underlying host. ![]() I discovered that the Manager application could be accessed with the user tomcat and the password s3cret.ġ7:23:38 PM UTC: It is often the case that admin-level access to a web application results in obtaining shell access to the host running the web application. I tried to access the Manager application running within Tomcat but found that it required credentials to access.ġ7:23:18 PM UTC: I ran a default credentials scan using nmap and the nndefaccts script. Apache Tomcat is a very popular web server used to run Java-based web applications. I ran TCP and UDP port scans using nmap and found a single HTTP port open, 8080:ġ7:22:49 PM UTC: I crawled the web site running at port 8080 and found the default landing page for Apache Tomcat. I confirmed this machine was live with an nmap ping sweep. I was provided the Jerry’s IP address, 10.10.10.95. I’ll walk through this in detail below:ġ7:22:04 PM UTC: I started my assessment. This is the attack graph that represents what I did. ![]() Used the Manager application to upload a malicious war file, establishing a Metasploit reverse shell running as the NT AUTHORITY\SYSTEM user Identified Apache Tomcat Manager application running on port 8080įound weak credentials to the Manager application for the tomcat user Timeline of Notable Events Timestamp (UTC) Using those credentials, I abused built-in functionality within the Manager application to gain system-level shell access to the host. I obtained system-level privileges on Jerry by first finding weak administrative credentials to the Apache Tomcat Manager web application running on port 8080. The Jerry machine from the Hack The Box platform nicely illustrates the danger of weak and default credentials.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |