Metasploitable 3 Windows Walkthrough: Part IX

Exploiting Port 8282 – Apache Tomcat

Apache Tomcat provides software to run Java applets in the browser. Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for Java Server Pages (JSP). All this means is, web pages accessed through port 8282 will be assembled by a Java web application.

There are many Metasploit modules available for Tomcat so you should focus on your goals:

  • Survey the website
    • Exploit possible vulnerable pages
  • Obtain credentials
  • Deploy payload

Apache Tomcat entry page

A web service like this might have multiple entry points and multiple valid credentials

Surveying Apache Tomcat using Metasploit

Apart from the initial page, there might be other interesting pages with other points of entry:

Surveying Apache Tomcat with Metasploit

These turn up some interesting pages that can potentially be exploited, namely the /manager and the /axis2.

Brute forcing Apache Tomcat using Metasploit

Try to brute force your way in using the Metasploit module:

Brute forcing Apache Tomcat with Metasploit

The Tomcat credentials are not the default ones. Therefore, you must try something else.

Try to login to the Manager App

Accessing the Tomcat Manager App

You will be prompted for the credentials:

Accessing the Tomcat Manager App

Now just press “Cancel and you will see a 401 page with some very interesting information:

Accessing the Tomcat Manager App

So, the Tomcat server is telling you exactly where to find the valid credentials to login in the Manager App; a file named tomcat-users.xml.

So, all you have to do is read that file to have proper access to the tomcat server.

Using a shell from another exploit, browse to:

C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf

Getting Tomcat credentials

Now examine the contents of the file tomcat-users.xml.

Getting Tomcat credentials

This reveals the username and password to be “sploit/sploit

Enumerating Apache Tomcat using Metasploit

The Metasploit module will enumerate the available usernames

Enumerating Tomcat with Metasploit

Obtaining a remote shell on this web server will require uploading and executing a file, but for Tomcat the executable must be a JSP (Java Server Pages) application.

Exploiting Apache Tomcat using Metasploit

This is solved by the tomcat_mgr_upload module:

Exploiting Tomcat with Metasploit

This is a low privilege shell because it used the default Java target and payload.

But using this module you can also get a system shell:

Exploiting Tomcat with Metasploit

NOTE: With this module you can get at least two meterpreter system shells and two system command shells, pending on the payload you use:

  • windows/meterpreter/reverse_tcp
  • windows/meterpreter_reverse_tcp
  • windows/shell/reverse_tcp
  • windows/shell_reverse_tcp

Exploiting Apache Tomcat manually

If, for some reason, the Metasploit automated payload deployment fails you can still exploit this server manually.

The management web interface gives us a place to upload WAR files, and a way to execute them manually.

The .war are Web ARchive files that contain all the files needed for a Java based web application. These are the files used by the Metasploit modules.

Using msfvenom, you can create shellcode and then specify what type of file to send it to. It just so happens, that one of the filetypes that msfvenom supports is .war.

Use msfvenom to craft a WAR file with the payload, then manually upload and execute it.

  • Kali IP: 172.16.1.6
  • Kali port: 5555

Creating a payload with msfvenom

Access the manager at [Target IP]:8282/manager/html. You will be asked for credentials but that is not a problem; just enter sploit/sploit.

Select the previous file and deploy it.

Uploading the payload

Note that this does NOT execute the payload yet!!! You need to unpack the .war to get the filename of the corresponding .jsp file:

Unpacking the .war file

Use Netcat to receive the incoming shell once the WAR file is executed.

Starting a Netcat listener

To execute the payload and run the actual .war file, you will need to visit the page:

http://[Target IP]:8180/runme/[Name of file.jsp]

Run the applet/exploit on your browser:

Running the payload on the browser

And you will have a shell:

Netcat shell

NOTE: You can also setup a listener using Metasploit’s multi handler module.

Metasploit command shell

The advantage of using Metasploit if the possibility of changing the session from command shell to meterpreter.

But sometimes this is just not possible.

Failed shell upgrade

But you can try to open a meterpreter session directly:

Creating a new payload with msfvenom

Unpacking the payload

Uploading the payload

Start the Metasploit handler using the same payload as the one you use in the MSFVenom:

Starting a Metasploit listener

Running the Java payload

Meterpreter system shell

And you will have a high privilege meterpreter shell.

Cleaning

Remove the .war files by going back to at [Target IP]:8282/manager/html and clicking "Undeploy".

Exploiting Port 8282 - Apache Axis2

Apache Axis2 is a core engine for Web services. It is a complete re-design and re-write of the widely used Apache Axis SOAP stack. You access the service from the Tomcat manager page:

Accessing Apache Axis2

That link will open the general service page. From here you can access the Administration page:

Accessing Apache Axis2

Accessing Apache Axis2

Brute forcing Axis2 using Metasploit

Try to brute force the credentials:

Brute forcing Axis2 with Metasploit

Now you have a valid set of credentials to login and manage the Apache Axis2 service.

Exploiting Axis2 using Metasploit

Another possible approach is to exploit the service using the previously found credentials and a Metasploit module.

Exploiting Axis2 with Metasploit

Using the default module settings, you will get a low privilege meterpreter session.

NOTE: If you have found valid credentials and they were added to the workspace database, the module will load them automatically.

Exploiting Port 8282 - Apache Struts2

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller architecture.

Accessing Apache Struts2

Exploiting Struts2 using Metasploit

This service is exploitable using Metasploit:

Exploiting Struts2 with Metasploit

As usual, using the default settings for target (Java) and payload, you will get a low privilege session.

Change it to Windows:

Exploiting Struts2 with Metasploit

Now you have a high privilege session.

Exploiting Port 8484 – Jenkins

Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.

As soon as you try to visualize the service, you will get information on where to find the administrator password.

Jenkins entry page

Like you did before, using a shell you can get access to the initialAdminPassword file and read the password.

Jenkins password

Now, using this password you can admin the Jenkins service:

Accessing Jenkins

Enumerating Jenkins using Metasploit

The initial version of Metasploitable 3 shipped with Jenkins v1.67 and that was very vulnerable to enumeration. The current version of the vulnerable VM ships with Jenkins 2.02 and that is completely different:

Enumerating Jenkins with Metasploit

Exploiting Jenkins using Metasploit

Using the previous credentials, you can get a meterpreter shell:

Exploiting Jenkins with Metasploit

But it is a low privilege session…



No comments: