Enumeration

Gobuster

• Run a quick gobuster scan to see what other dirctories are available.

gobuster dir -u http:[Target IP]:8080 -w [Path to wordlist]

• It looks like we have quite a few options here to explore. The most interesting to me are the /host-manager and /manager directories.

/aux                  (Status: 200) [Size: 0]
/com2                 (Status: 200) [Size: 0]
/com1                 (Status: 200) [Size: 0]
/com3                 (Status: 200) [Size: 0]
/con                  (Status: 200) [Size: 0]
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico          (Status: 200) [Size: 21630]
/host-manager         (Status: 302) [Size: 0] [--> /host-manager/]
/lpt2                 (Status: 200) [Size: 0]
/lpt1                 (Status: 200) [Size: 0]
/manager              (Status: 302) [Size: 0] [--> /manager/]
/nul                  (Status: 200) [Size: 0]
/prn                  (Status: 200) [Size: 0]

/aux

• Nothing interesting in source code.

<html><head><title>Apache Tomcat/7.0.88 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /aux</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/aux</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.88</h3></body></html>

/com1, /com2, /com3, /con

• Nothing in source code either.

/docs

• Lot's of good information here about the settings and set up of tomcat including default security settings.

• Nothing in the source code.

/examples

This could be really good. This could be a means to uploading a reverse shell to the /examples directory and accessing it in here.

/lpt1, /lpt2, nul, prn

• Nothing to note on any of these.

/host-manager

• Looks like we get a login prompt. Let's see if we can find some default credentials for this since the rest of the web server isn't set up yet. We'll google to see if we come up with anything.

  • I can also look at brute forcing this login as it is doesn't stop me from multiple attempts.

• I found quite a few answers on Google but the credentials admin:admin gave me some good information. I also found the following credentials that might work:

admin:admin
tomcat:tomcat
admin:[Nothing]
admin:s3cret
tomcat:s3cret
admin:tomcat

• This is really good information and I'll check out the conf/tomcat-users.xml

  • Unfortunately, it looks like it doesn't exist.

• I came back to this and tried the credentials tomcat:s3cret and was able to gain access to the page.

  • These credentials don't work for /host-manager

• Let's explore the place to possible upload a WAR file:

/manager

• Let's check out this page now.

• It gives me the same sign-in page as /host-manager and the credentials admin:admin give me access. Unfortunately, this sends me to the same page as above, /manager/html.

• Running a gobuster scan on this directory gave me a couple of areas to check out.

gobuster dir -u http:[Target IP]:8080/manager -w [Path to wordlist]

• Only status can be accessed.

/manager/status

• Now we have a lot of good information.

  • Tomcat Version --> Apache Tomcat/7.0.88

  • JVM Version --> 1.8.0_171-b11

  • JVM Vendor --> Oracle Corporation

  • OS Name --> Windows Server 2012 R2

  • OS Version --> 6.3

  • OS Architecture --> amd64

  • Hostname --> JERRY

• It also shows a port of 8009. However, when I try visiting that page it hangs up and doesn't show anything. Could potentially be something listening on that end.

  • I found this possible exploit with hacktricks that I might be able to use.