11/2020
Summary:
Target IP: 10.10.10.95 The attacker gained initial access because the Tomcat installation uses default password for the web app manager page. This page allows unrestricted upload. Attacker uploaded a web shell in WAR format, the server executed the web shell and got root privileges.
easy
User: 7004dbcef0f854efb401875f26ebd00
Root: 04a8b36e1545a455393d067e772fe90e
Nmap port scan result shows a http server run on port 8080. The server is Tomcat.
Visiting website hosted on port 8080.
The landing page is the default welcome page of an Apache Tomcat server that is filled with general links to guides and documentations of Tomcat. A pop-up log in alert appears when requesting Server Status page. The credential of admin user for this page is a common one - admin/admin.
Server information displays detail about the machine’s operating system, describing the file folder structure in its installation directory.
<aside> 💡
Nikto is an open source (GPL) web server scanner that performs vulnerability scanning against web servers for multiple items, including dangerous files and programs. Nitko checks for outdated versions of web server software. It also checks for server configuration errors and any possible vulnerabilities they might have introduced.
</aside>
Nikto vulnerabilities scan result.
Multiple points of interests were mentioned in this report.
Nikto detects default account on /manager/html - tomcat/s3cret
Checking out /manager/html page shows the potential pivot point for this challenge which is a form that allow upload from client. This management page lets client upload application as WAR file which is a kind of archive. The server then deploys and makes them available on the server.
