My Tomcat Host: 1 - CTF

Last time I found on VulnHub few new VMs. One of them was "My Tomcat Host:1". I decided to check it. Below you will find few notes about it. Here we go...
Today we'll start here:

 

As usual I started from the portscan to see if there are any open ports on target host:

Looks good. Let's try to check HTTP port with gobuster:

Hm... Axis2? ;> We'll see... ;) Next link:

Looks good (if we know the password ;)) So I decided to go back to Axis2. After a while (of checking different publicated exploits) I found... that there is a default password ;] So my next step was:

Ok, next:

So far, so good! ;> And...

Well. :Z

I must say at this stage I was a little bit disappointed. After a few long moments with (fuzzing, searching exploits/bugs available online, debugging, etc) Axis2...


... I decided to try the same approach I tried with Axis2 - 'default passwords' - (tomcat:tomcat):

Looks familiar ;] Preparing revshell:

Next, Metasploit:

So I deployed prepared file:

 

In the meantime in my Kali VM we can see:

 

Now we should be somewhere here:

 

File .bash_history looks interesting:

 

Checking:

Indeed ;] Let's try to use it:

 

Next step:

 

And now let's try to (sudo) run our payload:

 

 ... almost... ;S we'll need meterpreter here:

 

Continuing"

 

Looks promising ;>

 

Checking again with oneliner-revshell:

 

Do we have a shell? ;D

 

It looks like! Good ;]

 

Last notes from the host ;)

 

I think now it's the time to choose something else... ;]

Special thanks goes to my Patreon: Daniel.

Thanks! You are AWESOME! ;)

See you next time!

Cheers