Exploiting Port 8180 – Apache Tomcat
Apache Tomcat provides software to run Java applets in the browser. Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for Java Server Pages (JSP). All this means is, web pages accessed through port 8180 will be assembled by a Java web application.
The Nmap scan didn't return the version, so that's probably the first thing we'll want to figure out.
There are many Metasploit modules available for Tomcat so you should focus on your goals:
- Survey the website
- Exploit possible vulnerable pages
- Obtain credentials
- Deploy payload
Surveying Apache Tomcat using Metasploit
Load the proper Metasploit auxiliary module and run it
These turn up some interesting pages that can potentially be bypassed:
This initial recon will set the criteria for the choice of the next Metasploit modules. First, you have a login page - this provides a way to brute-force login credentials. Second, you have a WebDAV interface, and a potential avenue for uploading a PHP shell.
Getting Apache Tomcat credentials using Metasploit
Using the proper Metasploit module will produce immediate results:
That was easy, this module apparently found a set of valid credentials (tomcat/tomcat).
Let’s try to confirm these credentials:
Pay attention to the default settings. Change them if you want, or try them as they are:
Deploying a payload to Apache Tomcat using Metasploit
Just as obtaining a remote shell on the web server with Apache required uploading and executing a PHP script, obtaining a remote shell on this web server will require uploading and executing a file - but for Tomcat, the executable must be a JSP (Java Server Pages) application.
This is solved by the tomcat_mgr_deploy module
Pay attention to the selection of targets and payloads. With the default java/meterpreter/reverse_tcp payload you will probably won’t succeed in getting a session. Try different combinations until you do.
And there is also the tomcat_mgr_upload module which is very similar but it also requires a change of the default payload.
Try it also.
In both cases, you get a low privilege shell
Deploying a payload to Apache Tomcat manually
If, for some reason, the Metasploit automated payload deployment fails you can still exploit this server manually.
The management web interface gives us a place to upload WAR files, and a way to execute them manually.
The .war are Web ARchive files that contain all the files needed for a Java based web application. These are the files used by the Metasploit modules.
Using msfvenom, you can create shellcode and then specify what type of file to send it to. It just so happens, that one of the filetypes that msfvenom supports is .war.
Use msfvenom to craft a WAR file with the payload, then manually upload and execute it.
- Kali IP: 172.16.1.6
- Kali port: 5555
Access the manager at [Target IP]:8180/manager/html. You will be asked for credentials but that is not a problem; just enter tomcat/tomcat.
Select the previous file and deploy it.
Note that this does NOT execute the payload yet!!!
To execute the payload and run the actual .war file, you will need to visit the page http://[Target IP]:8180/runme/. However, this will try and connect to our command-and-control server on port 5555, so you need to be listening for the incoming connection.
Use Netcat to receive the incoming shell once the WAR file is executed.
Now, Netcat will listen for the incoming connection, so you're ready to execute your payload.
Run the applet/exploit on your browser:
And you will have a shell:
NOTE: You can also setup a listener using Metasploit’s multi handler module.
The advantage of using Metasploit is the possibility of changing the session from command shell to meterpreter.
Cleaning up
Remove the runme.war file by going back to [Target IP]:8180/manager/html and clicking "Undeploy".
Exploiting 8787 – Distributed Ruby
Distributed Ruby or DRb allows Ruby programs to communicate with each other on the same machine or over a network. DRb uses remote method invocation (RMI) to pass commands and data between processes.
Easy exploit, just load the proper Metasploit module and use it
This concludes the Metasploitable 2 exploitation. In some of the ports/services you can explore other alternatives but this series of posts illustrates pretty much all there is to it.
The next series of post will deal with Metasploitable 3 Windows and that will be somewhat different, specially because the Windows OS and the services installed in that vulnerable VM offer a lot of possibilities…
Next post: Metasploitable 3 Windows Walkthrough: Part I
No comments:
Post a Comment