How I escalated default credentials to Remote Code Execution

Published in

InfoSec Write-ups

3 min readMar 26, 2023

Hello All, We all know Recon is very important to get P1 bugs. Shodan and Censys are probably the best search engines. I have been testing a lot of application logic issues so thought of learning some recon as well.

Please note: The domain and other details have been masked for Confidentiality Purpose.

Recently, I came across an application which was using Tomcat. Lets take the domain as www.example.com. The first thing I did was brute forcing tomcat directories, but unfortunately, it did not work. I tried a couple of more things but it didn’t work, that’s where I decided to visit Shodan.

I took the domain name and pasted it on Shodan. I filtered out the results on the basis of port. That’s where I noticed something strange. I saw some application running on port 8082 and it was using tomcat. The IP address was x.x.x.x (Just an example).

I tried accessing http://x.x.x.x:8082/manager and guess what, it was prompting me to enter username and password. I got some hope there.

Boooommmm!!!!!, The username=tomcat and password=s3cret worked and the Tomcat Application Manager Console was accessible.

Technically, I should have stopped but I knew, I can get a remote code execution by uploading malicious war file. I needed a malicious .JSP file to make the war file. I took the JSP file from here, saved it with name index.jsp on desktop. Then, I created the war file using the commands in the below screenshot.