GITBOOK-4444: No subject

SUMMARY.md

@@ -430,7 +430,7 @@
   * [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md)
   * [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md)
   * [Symfony](network-services-pentesting/pentesting-web/symphony.md)
-  * [Tomcat](network-services-pentesting/pentesting-web/tomcat.md)
+  * [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md)
   * [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
   * [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md)
   * [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md)

network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md

@@ -32,7 +32,7 @@ Stay informed with the newest bug bounties launching and crucial platform update
 
 ## Basic Information
 
-From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
+From [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
 
 > AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
 
@@ -49,11 +49,9 @@ PORT     STATE SERVICE
 
 ## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)
 
-If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability. Here is an [exploit](https://www.exploit-db.com/exploits/48143) that works with this issue.
+This is an LFI vuln which allows to get some files like `WEB-INF/web.xml` which contains credentials. This is an [exploit](https://www.exploit-db.com/exploits/48143) to abuse the vulnerability and AJP exposed ports might be vulnerable to it.
 
-Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be pulled. Still, this can include files like `WEB-INF/web.xml` which can leak important information like credentials for the Tomcat interface, depending on the server setup.
-
-Patched versions at or above 9.0.31, 8.5.51, and 7.0.100 have fixed this issue.
+The patched versions are at or above 9.0.31, 8.5.51, and 7.0.100.
 
 ## Enumeration
 
@@ -67,35 +65,28 @@ nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
 
 ## AJP Proxy
 
-### Nginx Reverse Proxy & AJP
+### Nginx Reverse Proxy + AJP
 
-[Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version)
+([Checkout the Dockerized version](8009-pentesting-apache-jserv-protocol-ajp.md#Dockerized-version))
 
-When we come across an open AJP proxy port (8009 TCP), we can use Nginx with the `ajp_module` to access the "hidden" Tomcat Manager. This can be done by compiling the Nginx source code and adding the required module, as follows:
+It's possible to communicate with an open AJP proxy port (8009 TCP) by using the Nginx `ajp_module` apache module and access the Tomat Manager from this port which could ultimately lead to RCE in the vulnerable server.
 
-* Download the Nginx source code
-* Download the required module
-* Compile Nginx source code with the `ajp_module`.
-* Create a configuration file pointing to the AJP Port
+* Start downloading Nginx from [https://nginx.org/en/download.html](https://nginx.org/en/download.html) and then compile it with the ajp module:
 
 ```bash
-# Download Nginx code
-wget https://nginx.org/download/nginx-1.21.3.tar.gz
-tar -xzvf nginx-1.21.3.tar.gz
-
-# Compile Nginx source code with the ajp module
+# Compile Nginx with the ajp module
 git clone https://github.com/dvershinin/nginx_ajp_module.git
-cd nginx-1.21.3
+cd nginx-version
 sudo apt install libpcre3-dev
 ./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
 make
 sudo make install
 nginx -V
 ```
 
-Comment out the entire `server` block and append the following lines inside the `http` block in `/etc/nginx/conf/nginx.conf`.
+* Then, comment the `server` block and add the following in the `http` block in `/etc/nginx/conf/nginx.conf`.
 
-```shell-session
+```json
 upstream tomcats {
 	server <TARGET_SERVER>:8009;
 	keepalive 10;
@@ -109,41 +100,7 @@ server {
 }
 ```
 
-Start Nginx and check if everything is working correctly by issuing a cURL request to your local host.
-
-```html
-sudo nginx
-curl http://127.0.0.1:80
-
-<!DOCTYPE html>
-<html lang="en">
-    <head>
-        <meta charset="UTF-8" />
-        <title>Apache Tomcat/X.X.XX</title>
-        <link href="favicon.ico" rel="icon" type="image/x-icon" />
-        <link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
-        <link href="tomcat.css" rel="stylesheet" type="text/css" />
-    </headas
-    <body>
-        <div id="wrapper">
-            <div id="navigation" class="curved container">
-                <span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
-                <span id="nav-hosts"><a href="/docs/">Documentation</a></span>
-                <span id="nav-config"><a href="/docs/config/">Configuration</a></span>
-                <span id="nav-examples"><a href="/examples/">Examples</a></span>
-                <span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
-                <span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
-                <span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
-                <br class="separator" />
-            </div>
-            <div id="asf-box">
-                <h1>Apache Tomcat/X.X.XX</h1>
-            </div>
-            <div id="upper" class="curved container">
-                <div id="congrats" class="curved container">
-                    <h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>
-<SNIP>
-```
+* Finally, start nginx (`sudo nginx`) and check it works by accessing `http://127.0.0.1`
 
 ### Nginx Dockerized-version
 
@@ -161,36 +118,11 @@ docker run -it --rm -p 80:80 nginx-ajp-proxy
 
 ### Apache AJP Proxy
 
-Encountering an open port 8009 without any other accessible web ports is rare. However, it is still possible to exploit it using **Metasploit**. By leveraging **Apache** as a proxy, requests can be redirected to **Tomcat** on port 8009.
-
-```bash
-sudo apt-get install libapache2-mod-jk
-sudo vim /etc/apache2/apache2.conf # append the following line to the config
-    Include ajp.conf
-sudo vim /etc/apache2/ajp.conf     # create the following file, change HOST to the target address 
-    ProxyRequests Off
-    <Proxy *>
-        Order deny,allow
-        Deny from all
-        Allow from localhost
-    </Proxy>
-    ProxyPass       / ajp://HOST:8009/
-    ProxyPassReverse    / ajp://HOST:8009/
-sudo a2enmod proxy_http
-sudo a2enmod proxy_ajp
-sudo systemctl restart apache2
-```
-
-This setup offers the potential to bypass intrusion detection and prevention systems (IDS/IPS) due to the **AJP protocol's binary nature**, although this capability has not been verified. By directing a regular Metasploit Tomcat exploit to `127.0.0.1:80`, you can effectively seize control of the targeted system.
-
-```bash
-msf  exploit(tomcat_mgr_deploy) > show options
-```
+It's also possible to use an **Apache AJP proxy** to access that port instead of **Nginx**.
 
 ## References
 
 * [https://github.com/yaoweibin/nginx\_ajp\_module](https://github.com/yaoweibin/nginx_ajp_module)
-* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
 
 <figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>