In the previous recipe we obtained the Tomcat's Manager credentials and mentioned that it could lead us to execute code in the server. In this recipe, we will use such credentials to log into the Manager and upload a new application that will allow us to execute operating system commands in the server.
- Go to
http://192.168.56.102:8080/manager/html. - When asked for username and password, use the ones obtained in the previous recipe:
rootandowaspbwa:
- Once inside the Manager, look for the section WAR file to deploy and click on the Browse… button.
- Kali includes a collection of webshells in
/usr/share/laudanum, browse there and select the file/usr/share/laudanum/jsp/cmd.war:
- After it is loaded, click on Deploy:
- Verify that you have a new application called cmd.
- Let's try it, go to
http://192.168.56.102:8080/cmd/cmd.jsp. - In the textbox, try a command, for example:
ifconfig
- We can see that we can execute commands, but to know which user and what privilege level we have, try the
whoamicommand:
We can see that Tomcat is running with root privileges in this server; this means that at this point, we have full control of it and can perform any operation, such as creating or removing users, installing software, configure operating system options, and much more.
Once we have obtained the credentials for Tomcat's Manager, the attack flow's pretty straightforward; we just need an application useful enough for us to upload it. Laudanum, included by default in Kali Linux, is a collection of webshells for various languages and types of web servers including PHP, ASP, ASP.NET, and JSP. What can be more useful to a penetration tester than a webshell?
Tomcat has the ability to take a Java web application packaged in WAR (Web Application Archive) format and deploy it in the server. We have used this functionality to upload the webshell included in Laudanum. After it was uploaded and deployed, we just browsed to it and by executing system commands we discovered that we had root access in that system.