sobota, 21 maja 2016

Pentester Lab CTF - Axis2 and Tomcat Manager

Here we have another one (I believe already solved) CTF from VulnHub. I had a pleasure to check it during one internal CTF prepared for the meeting with the new customer. Below you'll find a quick writeup:

Prepare the VM and run nmap against it:




Quick nmap review:


Ok, we have an Apache server. Let's try it out:


Cool. First hint: is there a Tomcat (manager)? Sure there is. But how to get inside? As you probably remember this is a VM related to Axis LFI bug (for example) so maybe we can exploit Axis to get some password (file) to access Tomcat's manager...


Yeah. Let's log in as manager now:






So we're able to access manager's panel. Let's find out if Tomcat is vulnerable to WAR upload (if so, we'll be able to upload shell in JSP):


This code is grabbed from the 'walkthrough' but I modified it a little bit:





Ready to use:


Great! So again we're able to search for some passwords or other vulnerabilities on this server.

If you have other solutions to get this box, feel free to post it in comments (or simple mail me).

Cheers.
Posted by at
Labels: , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)