Servlet Containers/Software Development
Tomcat - Discovery & Enumeration
During our external penetration test, we run EyeWitness and see one host listed under "High Value Targets." The tool believes the host is running Tomcat, but we must confirm to plan our attacks. If we are dealing with Tomcat on the external network, this could be an easy foothold into the internal network environment.
Tomcat servers can be identified by the Server header in the HTTP response. If the server is operating behind a reverse proxy, requesting an invalid page should reveal the server and version. Here we can see that Tomcat version 9.0.30
is in use.
Custom error pages may be in use that do not leak this version information. In this case, another method of detecting a Tomcat server and version is through the /docs
page.
This is the default documentation page, which may not be removed by administrators. Here is the general folder structure of a Tomcat installation.
The bin
folder stores scripts and binaries needed to start and run a Tomcat server. The conf
folder stores various configuration files used by Tomcat. The tomcat-users.xml
file stores user credentials and their assigned roles. The lib
folder holds the various JAR files needed for the correct functioning of Tomcat. The logs
and temp
folders store temporary log files. The webapps
folder is the default webroot of Tomcat and hosts all the applications. The work
folder acts as a cache and is used to store data during runtime.
Each folder inside webapps
is expected to have the following structure.
The most important file among these is WEB-INF/web.xml
, which is known as the deployment descriptor. This file stores information about the routes used by the application and the classes handling these routes. All compiled classes used by the application should be stored in the WEB-INF/classes
folder.
Example web.xml
file:
The web.xml
configuration above defines a new servlet named AdminServlet
that is mapped to the class com.inlanefreight.api.AdminServlet
. Java uses the dot notation to create package names, meaning the path on disk for the class defined above would be:
classes/com/inlanefreight/api/AdminServlet.class
Next, a new servlet mapping is created to map requests to /admin
with AdminServlet
. This configuration will send any request received for /admin
to the AdminServlet.class
class for processing. The web.xml
descriptor holds a lot of sensitive information and is an important file to check when leveraging a Local File Inclusion (LFI) vulnerability.
The tomcat-users.xml
file is used to allow or disallow access to the /manager
(/manager/html
) and host-manager
admin pages.
The file shows us what each of the roles manager-gui
, manager-script
, manager-jmx
, and manager-status
provide access to. In this example, we can see that a user tomcat
with the password tomcat
has the manager-gui
role, and a second weak password admin
is set for the user account admin
Enumeration
After fingerprinting the Tomcat instance, unless it has a known vulnerability, we'll typically want to look for the /manager
and the /host-manager
pages. We can attempt to locate these with a tool such as Gobuster
or just browse directly to them.
Attacking Tomcat
Tomcat Manager - Login Brute Force
We first have to set a few options. Again, we must specify the vhost and the target's IP address to interact with the target properly. We should also set STOP_ON_SUCCESS
to true
so the scanner stops when we get a successful login, no use in generating loads of additional requests after a successful login.
As always, we check to make sure everything is set up correctly by show options
.
We hit run
and get a hit for the credential pair tomcat:admin
.
This is a very straightforward script that takes a few arguments. We can run the script with -h
to see what it requires to run.
Tomcat Manager - WAR File Upload
Valid manager credentials can be used to upload a packaged Tomcat application (.WAR file) and compromise the application. A WAR, or Web Application Archive, is used to quickly deploy web applications and backup storage.
After performing a brute force attack and answering questions 1 and 2 below, browse to http://web01.inlanefreight.local:8180/manager/html
and enter the credentials.
Click on Browse
to select the .war file and then click on Deploy
.
This file is uploaded to the manager GUI, after which the /backup
application will be added to the table.
If we click on backup
, we will get redirected to http://web01.inlanefreight.local:8180/backup/
and get a 404 Not Found
error. We need to specify the cmd.jsp
file in the URL as well. Browsing to http://web01.inlanefreight.local:8180/backup/cmd.jsp
will present us with a web shell that we can use to run commands on the Tomcat server. From here, we could upgrade our web shell to an interactive reverse shell and continue. Like previous examples, we can interact with this web shell via the browser or using cURL
on the command line. Try both!
To clean up after ourselves, we can go back to the main Tomcat Manager page and click the Undeploy
button next to the backups
application after, of course, noting down the file and upload location for our report, which in our example is /opt/tomcat/apache-tomcat-10.0.10/webapps
. If we do an ls
on that directory from our web shell, we'll see the uploaded backup.war
file and the backup
directory containing the cmd.jsp
script and META-INF
created after the application deploys. Clicking on Undeploy
will typically remove the uploaded WAR archive and the directory associated with the application.
Start a Netcat listener and click on /backup
to execute the shell.
A simple change such as changing:
To:
results in 0/58 security vendors flagging the cmd.jsp
file as malicious at the time of writing.
CVE-2020-1938 : Ghostcat
All Tomcat versions before 9.0.31, 8.5.51, and 7.0.100 were found vulnerable.
The AJP service is usually running at port 8009 on a Tomcat server. This can be checked with a targeted Nmap scan.
Jenkins - Discovery & Enumeration
Jenkins runs on Tomcat port 8080 by default. It also utilizes port 5000 to attach slave servers. This port is used to communicate between masters and slaves. Jenkins can use a local database, LDAP, Unix user database, delegate security to a servlet container, or use no authentication at all. Administrators can also allow or disallow users from creating accounts.
Enumeration
The default installation typically uses Jenkins’ database to store credentials and does not allow users to register an account. We can fingerprint Jenkins quickly by the telltale login page.
We may encounter a Jenkins instance that uses weak or default credentials such as admin:admin
or does not have any type of authentication enabled. It is not uncommon to find Jenkins instances that do not require any authentication during an internal penetration test. While rare, we have come across Jenkins during external penetration tests that we were able to attack.
Attacking Jenkins
Script Console
Using this script console, it is possible to run arbitrary commands, functioning similarly to a web shell. For example, we can use the following snippet to run the id
command.
Running the above commands results in a reverse shell connection.
Miscellaneous Vulnerabilities
Public exploit PoCs exist to exploit a flaw in Jenkins dynamic routing to bypass the Overall / Read ACL and use Groovy to download and execute a malicious JAR file. This flaw allows users with read permissions to bypass sandbox protections and execute code on the Jenkins master server. This exploit works against Jenkins version 2.137.
Another vulnerability exists in Jenkins 2.150.2, which allows users with JOB creation and BUILD privileges to execute code on the system via Node.js. This vulnerability requires authentication, but if anonymous users are enabled, the exploit will succeed because these users have JOB creation and BUILD privileges by default.
As we have seen, gaining access to Jenkins as an administrator can quickly lead to remote code execution. While several working RCE exploits exist for Jenkins, they are version-specific. At the time of writing, the current LTS release of Jenkins is 2.303.1, which fixes the two flaws detailed above.
Last updated