Thompson

This assessment targeted a Linux system running Apache Tomcat 8.5.5. Using default credentials and web shell deployment, we achieved a reverse shell and escalated to root through a writable cronjob.

Enumeration

Ports 22, 8009, and 8080 were open. Service scans revealed OpenSSH, Apache JServ, and Tomcat 8.5.5.

Exploitation

Default Tomcat credentials allowed access to `/manager/html`. A `.war` file containing a reverse shell was deployed and triggered through the web interface.

Privilege Escalation

A cronjob running a script owned by Jack allowed modification of a `.sh` file to execute a reverse shell as root.

Key Takeaways

Default credentials can allow full web app control
Tomcat `.war` deployment is a high-risk vector
Writable cronjobs can escalate privileges to root
Always verify AJP endpoints for exposure