In the previous recipe we obtained the Tomcat's Manager credentials and mentioned that it could lead us to execute code in the server. In this recipe, we will use such credentials to log into the Manager and upload a new application that will allow us to execute operating system commands in the server.
http://192.168.56.102:8080/manager/html
.root
and owaspbwa
:/usr/share/laudanum
, browse there and select the file /usr/share/laudanum/jsp/cmd.war
:http://192.168.56.102:8080/cmd/cmd.jsp
.ifconfig
whoami
command:We can see that Tomcat is running with root privileges in this server; this means that at this point, we have full control of it and can perform any operation, such as creating or removing users, installing software, configure operating system options, and much more.
Once we have obtained the credentials for Tomcat's Manager, the attack flow's pretty straightforward; we just need an application useful enough for us to upload it. Laudanum, included by default in Kali Linux, is a collection of webshells for various languages and types of web servers including PHP, ASP, ASP.NET, and JSP. What can be more useful to a penetration tester than a webshell?
Tomcat has the ability to take a Java web application packaged in WAR (Web Application Archive) format and deploy it in the server. We have used this functionality to upload the webshell included in Laudanum. After it was uploaded and deployed, we just browsed to it and by executing system commands we discovered that we had root access in that system.
18.188.139.172