Exploiting Jserv

    "The Apache JServ Protocol is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server."

    We kick off with an Nmap scan and we find port 8009 open:



    When I found this initially, it was on a Tomcat Server but I wanted to dig in to see if I could leverage this for something greater.  It turns out, if the Tomcat port 8080 is already facing you, you already have what you can get.  However, if for some reason you find yourself in a situation like you see above, you can leverage it to get to the Tomcat Server.

    First, let me point you to the original source for this information

    According to the guide, we're going to install the mod_jk package and we're going to enable the proxy_ajp module:

    apt install libapache2-mod-jk
    a2enmod
    proxy_ajp

    Next we're going to configure an enabled site under:  /etc/apache2/sites-enabled/ajp.conf

    The contents will look like the following but you need to adjust the IP address to match the IP address of your Jserv server:


    Restart apache:  service apache2 restart

    And then when we browse to our own 127.0.0.1:


    We head for the manager app and we use the default credentials:


    And we're in:


    At this point, we can upload a .war file and get a shell.  If this is new to you, this post will help you with the rest.



    © 2020 sevenlayers.com