Metasploitable 2 Walkthrough: Part X

Exploiting Port 8180 – Apache Tomcat

Apache Tomcat provides software to run Java applets in the browser. Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for Java Server Pages (JSP). All this means is, web pages accessed through port 8180 will be assembled by a Java web application.

The Nmap scan didn't return the version, so that's probably the first thing we'll want to figure out.

There are many Metasploit modules available for Tomcat so you should focus on your goals:

  • Survey the website
    • Exploit possible vulnerable pages
  • Obtain credentials
  • Deploy payload

Surveying Apache Tomcat using Metasploit

Load the proper Metasploit auxiliary module and run it

Surveying the Apache Tomcat service

These turn up some interesting pages that can potentially be bypassed:

Tomcat admin login page

Tomcat WebDAV

This initial recon will set the criteria for the choice of the next Metasploit modules. First, you have a login page - this provides a way to brute-force login credentials. Second, you have a WebDAV interface, and a potential avenue for uploading a PHP shell.

Getting Apache Tomcat credentials using Metasploit

Using the proper Metasploit module will produce immediate results:

Getting Tomcat credentials

That was easy, this module apparently found a set of valid credentials (tomcat/tomcat).

Let’s try to confirm these credentials:

image

Pay attention to the default settings. Change them if you want, or try them as they are:

Testing the Tomcat credentials

Deploying a payload to Apache Tomcat using Metasploit

Just as obtaining a remote shell on the web server with Apache required uploading and executing a PHP script, obtaining a remote shell on this web server will require uploading and executing a file - but for Tomcat, the executable must be a JSP (Java Server Pages) application.

This is solved by the tomcat_mgr_deploy module

Exploiting Tomcat with MSF

Pay attention to the selection of targets and payloads. With the default java/meterpreter/reverse_tcp payload you will probably won’t succeed in getting a session. Try different combinations until you do.

And there is also the tomcat_mgr_upload module which is very similar but it also requires a change of the default payload.

Try it also.

Exploiting Tomcat with MSF

In both cases, you get a low privilege shell

Deploying a payload to Apache Tomcat manually

If, for some reason, the Metasploit automated payload deployment fails you can still exploit this server manually.

The management web interface gives us a place to upload WAR files, and a way to execute them manually.

The .war are Web ARchive files that contain all the files needed for a Java based web application. These are the files used by the Metasploit modules.

Using msfvenom, you can create shellcode and then specify what type of file to send it to. It just so happens, that one of the filetypes that msfvenom supports is .war.

Use msfvenom to craft a WAR file with the payload, then manually upload and execute it.

  • Kali IP: 172.16.1.6
  • Kali port: 5555

Creating the Web Archive payload

Access the manager at [Target IP]:8180/manager/html. You will be asked for credentials but that is not a problem; just enter tomcat/tomcat.

Select the previous file and deploy it.

Uploading the payload to Tomcat

Note that this does NOT execute the payload yet!!!

To execute the payload and run the actual .war file, you will need to visit the page http://[Target IP]:8180/runme/. However, this will try and connect to our command-and-control server on port 5555, so you need to be listening for the incoming connection.

Use Netcat to receive the incoming shell once the WAR file is executed.

Starting the Netcat listener

Now, Netcat will listen for the incoming connection, so you're ready to execute your payload.

Run the applet/exploit on your browser:

Running the payload

And you will have a shell:

Netcat shell

NOTE: You can also setup a listener using Metasploit’s multi handler module.

Metasploit command shell

The advantage of using Metasploit is the possibility of changing the session from command shell to meterpreter.

Upgrading the command shell to meterpreter shell

Cleaning up

Remove the runme.war file by going back to [Target IP]:8180/manager/html and clicking "Undeploy".

Exploiting 8787 – Distributed Ruby

Distributed Ruby or DRb allows Ruby programs to communicate with each other on the same machine or over a network. DRb uses remote method invocation (RMI) to pass commands and data between processes.

Easy exploit, just load the proper Metasploit module and use it

Exploiting Distributed Ruby with Metasploit

This concludes the Metasploitable 2 exploitation. In some of the ports/services you can explore other alternatives but this series of posts illustrates pretty much all there is to it.

The next series of post will deal with Metasploitable 3 Windows and that will be somewhat different, specially because the Windows OS and the services installed in that vulnerable VM offer a lot of possibilities…


Next post: Metasploitable 3 Windows Walkthrough: Part I

No comments: