Skip to content

SECURE_CONNECTION//PRESS[CTRL+J]FOR ROOT ACCESS

BACK TO INTEL
WebEasy

Tomwhat

CTF writeup for Tomwhat from heroCTF

//Walkthrough - Tomwhat

I have successfully retrieved the flag from the remote instance.

>Challenge Analysis

The challenge consists of a Tomcat server with two custom web applications: light and dark.

  • light allows setting a username session attribute, but explicitly forbids "darth_sidious".

  • dark has an 

    AdminServlet that reveals the flag if the username session attribute is "darth_sidious".

  • The server is configured with PersistentManager using FileStore in a shared directory (temp/sessions) and sessionCookiePath="/". This means sessions are shared across all web applications on the server.

>Exploitation Path

  1. Reconnaissance: I discovered that the default Tomcat /examples application was accessible on the remote server. This application is often removed in production but was present here.
  2. Vulnerability Identification: The /examples/servlets/servlet/SessionExample servlet allows users to set arbitrary session attributes.
  3. Exploitation:

    • I used the SessionExample servlet to set the username session attribute to darth_sidious. This bypassed the check in 

      LightServlet because I wasn't using 

      LightServlet to set the session.

    • Because of the shared session storage (PersistentManager), the session created in /examples is valid and accessible in /dark.

    • I accessed /dark/admin using the same session ID.

    • The 

      AdminServlet read the username attribute ("darth_sidious") from the shared session and revealed the flag.

>Flag

Hero{a2ae73558d29c6d438353e2680a90692}