There’s a vulnerability in one service that you can use to upload a reverse shell. It’s not so easy to detect, but Google is your friend right after banner grabbing.
HINT: cmd.bat
2 Likes
Thanks @19delta4u . I managed to finish the exercise. Indeed doing fuzzing is found “cmd.bat”. It has helped me exploit and the PoC from the github of the user “jaiguptanick”. I had to modify the exploit with the data that @19delta4u passed.
5 Likes
fuzz tha app on ip and port, search por that cve for extensions, youll get the extension that exists on the cve example directory, then exploit like that cve, done! gracias a todos atte dstnat.
This one was tricky…don’t forget to go back to your exploit after the .bat file is found.
For those still struggling, this video helped me find a slightly different way.
HTB Academy Attacking Common Applications - Skills Assessment I - YouTube
So I have got the flag, but I am still wondering. How do you find “cmd.bat” if the “/cgi” directory returns an error status code?? I took a hint or two to solve this assessment, but I just don’t understand some of the steps taken.
1 Like
Hello, friends!
Give advice on which tool you were looking for this file.
I have recursively checked all directories with the tool - dirsearch.py and checked dirbuster
For reference, the wordlist exactly contains the file name for this.
Hi guys could you elaborate a bit how you got there in the first place? I am trying to understand what was your train of thought regarding the cgi. Is it very common for apache tomcat or what tipped you off especially that cgi directory by itself returns 404. I am just trying to understand better what i missed
In the metasploit module, add “set AutoCheck false” and “set ForceExploit true” before running it.
3 Likes
Think about the hint I gave (fuzzing). I just did the exercise again and they changed the “cmd.bat” to “???.bat”. I fuzzed it with ffuf and found it.
Hello dear. Can you help on this please. I am stuck. I mean really stuck.
Hello dear. For which module? I tried all the exploit i got for tomcat in metasploit none is working with this assessment. Can you help ?
Hello dear. I did all the fuzzing for all the interesting folder i got. None has a .bat or .cmd extension. I even got the cgi directory under the WEB-INF nothing to be done. Can you help please ?
■■■ I cant believe I did not notice that I needed to change URL to cmd.bat … I was confused why it aint working for half hour.
I think the thought process is that you search for exploits for the vulnerable application. Then you read through the exploit blog and see that they fuzz a specific directory, and then you do the same thing even though you think there’s no directory there.
Thanks…!
With all the above tip provided, I followed I did as the following :
To get the flag, this github repo helped me GitHub - jaiguptanick/CVE-2019-0232: Vulnerability analysis and PoC for the Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (RCE), the tip here is to use cmd.bat and follow this video to get the rce https://www.youtube.com/watch?v=RA7kzuHOWqA
Use a list for Seclist for find a .bat, i use common.txt
can see the exploit here: GitHub - setrus/CVE-2019-0232: CVE-2019-0232-Remote Code Execution on Apache Tomcat 7.0.42
So, I’ve figured out where the vulnerability is and tried to exploit it, but I can’t seem to do any path traversal outside of “…” (URL encoding doesn’t seem to work). I also found the metasploit module for it, and even after setting the recommended autocheck to false and forceexploit to true, no session has been created. I’ve tried a few different reverse shells, but no luck.
Any help would be appreciated. Between not being able to fuzz for the file (I understand manual enumeration is important, but you can’t manually enumerate something arbitrary like a filename) and the fact that the exploit is far more difficult to pull off than the documentation says, this is a surprisingly brutal lab for what it’s trying to teach.