I Suck at CTFs: Corrosion2

note: something happened with my VM in UTM (i think) so I never got a shell even if I followed the walkthroughs /shrug

tl;dr commands used

• nmap

• zip2john

• john

• msfconsole -e auxiliary/scanner/http/tomcat_enum

• ffuf

• msfconsole -e exploit/multi/http/tomcat_mgr_upload

• msfvenom -p java/jsp_shell_reverse_tcp

• msfvenom -p java/shell/reverse_tcp

• Enumerate: see 22, 80, and 8080 open

• T1595.002 – Active Scanning: Network Scanning

• IP:80 takes us to default apache2 landing page

• 8080 takes us a tomcat landing page

• Information disclosure: Tomcat/9.0.53

• Check msfconsole for any quick hitters

• Found exploits that require username/password and exploits that don’t require username/password

• Tried all that don’t require username/password and was unsuccessful

• Username enumeration: found various usernames

• T1595.001 – Active Scanning: Web Application Scanning

• ffuf for directories and exposed files

• Directory enumeration: /manager /examples /docs

• Exposed files: backup.zip readme.txt

• T1595.001 – Active Scanning: Web Application Scanning

• Downloaded backup.zip but extracting required a password

• Found that you can use zip2john to extract the password to crack with john-the-ripper

• tomcat-users.xml is a common file that is found on tomcat servers that holds username/passwords

• Was able to find that admin and manger use the same password

• T1110.002 – Brute Force: Password Cracking

• Logging into IP:8080/manager lands you on the manager dashboard were you can deploy .war files

• Tried using msfconsole’s tomcatmgrupload to upload and execute code

• A session wouldn’t start for me

• Tried creating the payload manually with msfvenom and executing it in various ways

• Gave up and looked through the walkthrough and saw that I was doing the correct things

• However, something was off with my vulnhub box - I’m thinking it’s a Apple Silicon issue :(

• Next time, I’ll try this on a intel processor I’ll try it again.