0x00 Preface

---

This article documents the details of setting up a GoAnywhere Managed File Transfer vulnerability debugging environment from scratch.

0x01 Introduction

---

This article will cover the following topics:

  • GoAnywhere Managed File Transfer Installation
  • GoAnywhere Managed File Transfer Vulnerability Debugging Environment Configuration
  • Database Operations

0x02 GoAnywhere Managed File Transfer Installation

---

Reference: https://static.fortra.com/goanywhere/pdfs/guides/ga6_8_6_installation_guide.pdf

Download URL: https://www.goanywhere.com/products/goanywhere-free/download

Registration required to obtain a license

GoAnywhere Managed File Transfer can be installed separately on Windows and Linux operating systems

Default web path on Windows system: C:\Program Files\HelpSystems\GoAnywhere\tomcat\webapps\ROOT

Default web path on Linux system: /usr/local/HelpSystems/GoAnywhere/tomcat/webapps/ROOT

1. Enable remote debugging function

Achieved by enabling Tomcat debugging function. The method to enable Tomcat debugging is as follows:

  • Switch to the bin directory
  • Execute command: catalina jpda start

After Tomcat debugging function is enabled, it listens on local port 8000 by default

For GoAnywhere Managed File Transfer, the method to enable debugging function is as follows:

(1) Debugging on Windows

Modify file properties of C:\Program Files\HelpSystems\GoAnywhere\tomcat\bin\GoAnywhere.exe

Double-click file C:\Program Files\HelpSystems\GoAnywhere\tomcat\bin\GoAnywhere.exe, switch to Java tab, add in Java Options: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8090, as shown below

Alt text

Restart GoAnywhere service

(2) Linux debugging

Modify file: /opt/HelpSystems/GoAnywhere/tomcat/bin/start_tomcat.sh, change exec "$PRGDIR"/"$EXECUTABLE" start "$@" to exec "$PRGDIR"/"$EXECUTABLE" jpda start "$@"

Modify file: /opt/HelpSystems/GoAnywhere/tomcat/bin/goanywhere_catalina.sh, change JPDA_ADDRESS="localhost:8000" to JPDA_ADDRESS="*:8090"

Note:

Tomcat's default debug port 8000 conflicts with GoAnywhere Managed File Transfer's web port, so here we choose to modify Tomcat's default debug port to 8090

Open firewall to allow external access to port 8090: iptables -I INPUT -p tcp --dport 8090 -j ACCEPT

Start GoAnywhere process: /opt/HelpSystems/GoAnywhere/goanywhere.sh start

0x03 Database Operations

---

GoAnywhere Managed File Transfer uses Apache Derby database

Default database storage location on Windows: C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere

Default database storage location on Linux: /opt/HelpSystems/GoAnywhere/userdata/database/goanywhere/

Implementation details of database operations can be obtained from ga_classes.jar in the lib folder

From this we can get the implementation details of web user password encryption, corresponding location: C:\Program Files\HelpSystems\GoAnywhere\lib\ga_classes.jar!\com\linoma\ga\ui\admin\action\user\ChangeUserPasswordAction.class

Extracted Java implementation code is as follows:

import com.linoma.commons.crypto.PasswordHash;
import com.linoma.commons.crypto.PasswordHashFactory;
import com.linoma.dpa.util.SystemInfo;
public class Main {
public static void main(String[] args) throws Exception, Exception {
PasswordHash var2 = PasswordHashFactory.getPasswordHash(SystemInfo.getPasswordHashAlgorithm(), "");
String var3 = var2.hash("Password@123456");
System.out.println(var3);
}
}

1. Reading Derby Database

(1) Command Line Implementation

Using Apache Derby, download address: https://archive.apache.org/dist/db/derby/db-derby-10.14.2.0/db-derby-10.14.2.0-bin.zip

Run ij.bat in the bin directory

Connect to database: connect 'jdbc:derby:C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere;';

Query user configuration: SELECT * FROM DPA_USER;

(2) GUI Implementation

Use DBSchema, download link: https://dbschema.com/download.html

After launching DBSchema, select to connect to the Derby database, choose derbytools.jar org.apache.derby.jdbc.EmbeddedDriver as the JDBC Driver, and select C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere as the Folder

Query the user data table, as shown in the figure below

Alt text

It can be seen that the default users are the following three:

  • Administrator, disabled
  • root, disabled
  • admin, default user

2. Modify the Database

GoAnywhere Managed File Transfer's Derby database uses embedded mode, which is not accessible by other applications, so there are two methods to modify the data:

(1) GoAnywhere Managed File Transfer is in a running state

Database modification can be achieved by writing a jsp file

(2) GoAnywhere Managed File Transfer is in a closed state

You can choose Apache Derby or DBSchema to open the database folder and directly modify it

Example commands for modifying the database:

Enable root user: UPDATE APP.DPA_USER SET ENABLED='1' WHERE USER_NAME='root';

Set root user password: UPDATE APP.DPA_USER SET USER_PASS='$5$mpoe6zI4B6+LHRMdbFKr8g==$RnAILbYe9KDauKE3wXTFVvlXQNZeM4Z2c7x1aEtME/U=' WHERE USER_NAME='root';

0x04 Summary

---

After setting up the GoAnywhere Managed File Transfer vulnerability debugging environment, we can proceed to study the vulnerability.