Exploiting Port 8282 – Apache Tomcat
Apache Tomcat provides software to run Java applets in the browser. Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for Java Server Pages (JSP). All this means is, web pages accessed through port 8282 will be assembled by a Java web application.
There are many Metasploit modules available for Tomcat so you should focus on your goals:
- Survey the website
- Exploit possible vulnerable pages
- Obtain credentials
- Deploy payload
A web service like this might have multiple entry points and multiple valid credentials
Surveying Apache Tomcat using Metasploit
Apart from the initial page, there might be other interesting pages with other points of entry:
These turn up some interesting pages that can potentially be exploited, namely the /manager and the /axis2.
Brute forcing Apache Tomcat using Metasploit
Try to brute force your way in using the Metasploit module:
The Tomcat credentials are not the default ones. Therefore, you must try something else.
Try to login to the Manager App
You will be prompted for the credentials:
Now just press “Cancel and you will see a 401 page with some very interesting information:
So, the Tomcat server is telling you exactly where to find the valid credentials to login in the Manager App; a file named tomcat-users.xml.
So, all you have to do is read that file to have proper access to the tomcat server.
Using a shell from another exploit, browse to:
C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf
Now examine the contents of the file tomcat-users.xml.
This reveals the username and password to be “sploit/sploit”
Enumerating Apache Tomcat using Metasploit
The Metasploit module will enumerate the available usernames
Obtaining a remote shell on this web server will require uploading and executing a file, but for Tomcat the executable must be a JSP (Java Server Pages) application.
Exploiting Apache Tomcat using Metasploit
This is solved by the tomcat_mgr_upload module:
This is a low privilege shell because it used the default Java target and payload.
But using this module you can also get a system shell:
NOTE: With this module you can get at least two meterpreter system shells and two system command shells, pending on the payload you use:
- windows/meterpreter/reverse_tcp
- windows/meterpreter_reverse_tcp
- windows/shell/reverse_tcp
- windows/shell_reverse_tcp
Exploiting Apache Tomcat manually
If, for some reason, the Metasploit automated payload deployment fails you can still exploit this server manually.
The management web interface gives us a place to upload WAR files, and a way to execute them manually.
The .war are Web ARchive files that contain all the files needed for a Java based web application. These are the files used by the Metasploit modules.
Using msfvenom, you can create shellcode and then specify what type of file to send it to. It just so happens, that one of the filetypes that msfvenom supports is .war.
Use msfvenom to craft a WAR file with the payload, then manually upload and execute it.
- Kali IP: 172.16.1.6
- Kali port: 5555
Access the manager at [Target IP]:8282/manager/html. You will be asked for credentials but that is not a problem; just enter sploit/sploit.
Select the previous file and deploy it.
Note that this does NOT execute the payload yet!!! You need to unpack the .war to get the filename of the corresponding .jsp file:
Use Netcat to receive the incoming shell once the WAR file is executed.
To execute the payload and run the actual .war file, you will need to visit the page:
http://[Target IP]:8180/runme/[Name of file.jsp]
Run the applet/exploit on your browser:
And you will have a shell:
NOTE: You can also setup a listener using Metasploit’s multi handler module.
The advantage of using Metasploit if the possibility of changing the session from command shell to meterpreter.
But sometimes this is just not possible.
But you can try to open a meterpreter session directly:
Start the Metasploit handler using the same payload as the one you use in the MSFVenom:
And you will have a high privilege meterpreter shell.
Cleaning
Remove the .war files by going back to at [Target IP]:8282/manager/html and clicking "Undeploy".
Exploiting Port 8282 - Apache Axis2
Apache Axis2 is a core engine for Web services. It is a complete re-design and re-write of the widely used Apache Axis SOAP stack. You access the service from the Tomcat manager page:
That link will open the general service page. From here you can access the Administration page:
Brute forcing Axis2 using Metasploit
Try to brute force the credentials:
Now you have a valid set of credentials to login and manage the Apache Axis2 service.
Exploiting Axis2 using Metasploit
Another possible approach is to exploit the service using the previously found credentials and a Metasploit module.
Using the default module settings, you will get a low privilege meterpreter session.
NOTE: If you have found valid credentials and they were added to the workspace database, the module will load them automatically.
Exploiting Port 8282 - Apache Struts2
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller architecture.
Exploiting Struts2 using Metasploit
This service is exploitable using Metasploit:
As usual, using the default settings for target (Java) and payload, you will get a low privilege session.
Change it to Windows:
Now you have a high privilege session.
Exploiting Port 8484 – Jenkins
Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.
As soon as you try to visualize the service, you will get information on where to find the administrator password.
Like you did before, using a shell you can get access to the initialAdminPassword file and read the password.
Now, using this password you can admin the Jenkins service:
Enumerating Jenkins using Metasploit
The initial version of Metasploitable 3 shipped with Jenkins v1.67 and that was very vulnerable to enumeration. The current version of the vulnerable VM ships with Jenkins 2.02 and that is completely different:
Exploiting Jenkins using Metasploit
Using the previous credentials, you can get a meterpreter shell:
But it is a low privilege session…
No comments:
Post a Comment