Pentesterlab--Axis2 Web Service and Tomcat Manager
When you engage in actual fighting, if victory is long in coming, then men’s weapons will grow dull and their ardor will be damped. If you lay siege to a town, you will exhaust your strength. —– The Art of War
This course details the exploitation of an issue in an Axis2 Web service and how using this issue it is possible to retrieve arbitrary files. Then using this, we will see how an attacker can retrieve Tomcat users' file to access the Tomcat Manager and gain commands execution on the server. —Pentesterlab
Detail Assessment and Planning
- Port scan to identify opened ports, running services and services version. —Nmap
- Burte force hidden path of the server. —-wfuzz
- generate webshell. —msfvenom
- backdoor. —nc
- webshell. —Car.arr
Weaknesses and Strengths
Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.
nmap -sV -v -A 192.168.79.168
Use wfuzz to burte force hidden path of the server
Now we find that the server host a web service using Axis2.
In order to test is the web server using Tomcat, we can try to visit a non-existing web page and watch the 404 error page.
Now we find the server uses Tomcat and we get the version of the Tomcat. Keep going…
Lets check the path axis2/ , we get the page:
get the list of the available services by visiting the page
http://192.168.79.168/axis2/services/listServices or click the serices link
The WSDL information can be accessed by clicking the service’s name in the listServices page or directly using the following URL:
We can see that
get operation is defined in WSDL
Axis2 provides an easy way to call Web services, you just need to follow the pattern http://[WS_URL]/method?parameters
Get Tomcat manager configuration to get login credentials. In Debian Linux, the tomcat configuration file tomcat-users.xml has default location: /etc/tomcat6/tomcat-users.xml
So we can try:
Then we get the Tomcat manager’s credentials:
the tomcat manager-gui login password can be found: username: manager password: !mp0ss!bl32gu355
Then login tomcat manager from the URL http://192.168.79.168/manager/html to upload and deploy JSP webshell in WAR file.
1 2 3 4
Then uplpad the websehll.war to manager page
in Kali setup nc:
nc -nlvp 4444
then you will get the shell:
In Debian Linux, the axis2 configuration file axis2.xml has default location:
so we can visit this page by using,
from axis2.xml, we find the credential is admin/axis2
Then login axis2 admin page from the URL
then try to upload webshell.war we used in last method.
Looks like it doesn’t support the war file format. WTF, okay, try harder.
After google search, I found a webshell for axis2, called Cat.arr
Download it and upload it to the server, it requres host IP and port number: