JBOSS :: From Default Creds to RCE
How we got there
In the world of cybersecurity, uncovering vulnerabilities and exploiting them to gain remote access to a system is a challenge that many ethical hackers undertake. In this blog post, i'll take you through a step-by-step journey of how i found a path to Remote Code Execution (RCE) via a JBoss Admin Panel War File Upload.
It all began with the discovery of an IP address on Shodan, a popular search engine for discovering internet-connected devices and services. I stumbled upon an IP that piqued my interest.
Uncovering the Redirect
Upon further investigation, it became apparent that the IP address in question was associated with a web panel that redirected users to another location. This redirection served as the entry point for my hacking quest.
The next step was research on JBoss AS (Application Server) instances. Familiarizing myself with JBoss, i uncovered that default credentials were often a weak link. This led to a critical breakthrough - gaining access to the admin panel.
With access to the web application's admin panel, I explored the environment to get a feel for its structure, components, and potential vulnerabilities. Panels like this are juicy.
The Quest for Web Shell
The goal was to create a web shell to enable further exploitation. Various methods, including using JSP files and zipped JSP files in War format, were attempted but yielded no results.
A New Approach
Desperate to find a solution, i stumbled upon the idea of creating a Java/JSP web application via Maven. This approach provided a fresh perspective on gaining the desired RCE.
Following the Tutorial
Taking inspiration from a "Hello World" tutorial, i decided to replace the innocuous "Hello World" code with my reverse shell code in a JSP file.
Building the Web App
Using Maven, i built the new JSP web application, incorporating my modified JSP file. This marked a significant step toward my ultimate goal. The next challenge was to upload the newly created War file containing the modified web application to the target server.
Triumph: Remote Code Execution => root
Finally, the moment of truth arrived. After successfully uploading the War file, i achieved my objective – Remote Code Execution (RCE) on the target system. I now had control and access to the server, a remarkable achievement after a series of diligent steps and persistent effort. I was root as the jboss web app was started as root
- visited webapp at
- found the panel was redirecting to
https://xboy.me:8080/admin-console/and got redirected to
- entered the default creds
- installed maven and java (lovely tutorial here => https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu )
- created default hello world example for maven
mvn archetype:generate -DgroupId=com.example -DartifactId=example-application -DarchetypeArtifactId=maven-archetype-webapp -DinteractiveMode=false
- replaced the default helloworld code in index.jsp using a malicious one
- Built the web app file via maven to get the correct war file
cd example-application/ && mvn package
- went back to the panel and uploaded the shell and i was golden
- ran a few commands and found i was root