Last year, I became interested in bug bounties and saw the Dutch government will mail you swag (often the t-shirt pictured above) if you’re able to hack one of their websites. The scope is huge, with over 1000 domains: https://gist.github.com/R0X4R/81e6c50c091a20b060afe5c259b58cfa#file-domains-txt

I chose targets at random, and spent a couple of weeks trying XSS and SSRF attacks but was unsuccessful. Soon after, I started looking for less popular vulnerabilities and found one relatively quick on https://www.bodemloket.nl which is the Netherlands’ Ministry of Infrastructure and Water Management’s website. I was able to access the site’s Tomcat web root using a path traversal payload.

Tomcat & Reverse Proxies

Apache Tomcat is a free, open-sourced web application server. If a website is using Tomcat, it will have endpoints such as manager/status and manager/html that will not be accessible to normal users. However, you can check if they exist by appending them to the domain name. Ex: http://www.example.com/manager/html. A good way to automate finding domains with these endpoints is by using FFUF: https://github.com/ffuf/ffuf.

At first, I tried https://www.bodemloket.nl/manager/status which gave the following result:

Nginx is a reverse proxy that sits in between the browser and the backend and will direct our requests to the appropriate backend server if we have access to it. The 403 forbidden error is a good sign because it shows the Tomcat endpoint exists; we just don’t have access to it.

The key to this bug is Nginx being used with Tomcat (without added safeguards) because Tomcat normalizes paths and Nginx often doesn’t. Tomcat will treat a path that contains /..;/ as /../, whereas, Nginx will pass it to Tomcat as is. This means if we use a path traversal payload after a Tomcat endpoint such as /manager/..;/ the reverse proxy will see nothing wrong with it and pass it to Tomcat, which Tomcat evaluates to the root directory.

Watch Orange Tsai’s presentation at DEF CON 26 for a more in-depth explanation on how this works: https://www.youtube.com/watch?v=28xWcRegncw

Exploiting

Here is the payload I used: https://www.bodemloket.nl/manager/..; which gave the following result:

Success! This shouldn’t be accessible to the public. Append another slash to the URL to get a more friendly view of the Tomcat root:

I was also able to access the Tomcat example scripts, which are vulnerable to XSS attacks and information disclosure. I didn’t screenshot these but you can find them online. Lastly, I found a couple high CVEs for the Tomcat version they were using. I stopped here and submitted a bug report. In hindsight, I probably could’ve pushed this further.

The main benefit of getting Tomcat access is getting access to the manager, which can lead to an RCE as it allows you to upload and deploy a .war file. Default credentials are tomcat:s3cret and are often not changed since you shouldn’t be able to hit the manager endpoint. If they are changed, you can find common combinations online or brute-force with something like Burp Suite. Again, if this was a paid bug bounty program I would’ve tried harder to escalate, but I was lazy and just really wanted the t-shirt.

The day after I submitted my report I received the following email:

About 10 days later, they informed me the vulnerability was fixed and asked me to retest. Here is what you’ll see if you try the payload today:

Timeline

06/11/23 — Reported vulnerability

07/11/23 — NCSC confirmed the vulnerability

16/11/23 — Fixed and retested

14/12/23 — Received the t-shirt and letter