In this article we will focus on the Apache Tomcat Web server and how we can discover the administrator’s credentials in order to gain access to the remote system.So we are performing our internal penetration testing and we have discovered the Apache Tomcat running on a remote system on port 8180.

Apache Tomcat Discovery

 

Our next step will be to open metasploit framework and to search for specific modules about the Apache Tomcat by using the command search Tomcat.

Available Modules for Apache Tomcat

 

We have found an auxiliary scanner which will be the tool for our attempt to login to the Tomcat Application Manager.So we are selecting the scanner by using the command use auxiliary/scanner/http/tomcat_mgr_login and then we are configuring it properly as it appears on the next screenshot.

Configuration on the scanner

 

We don’t have to give to give a path for a password list in this module because it is already configured to scan the password from a specific list of the metasploit wordlists.However if we have an appropriate wordlist,bigger than the existing one we can select our own.So we run the scanner and we are waiting to see if it will discover any valid credentials.

Discovery Valid Credentials in Apache Tomcat

 

The scanner have discovered valid credentials under the username tomcat and password tomcat.Now it is time to select the appropriate exploit in order to gain access to the remote target through the Apache Tomcat service.The metasploit framework has a specific module which can be used to execute a payload on Apache Tomcat servers that are running the manager application.

Apache Tomcat Exploit

 

We can see from the above image that there is an option for username and an option for password to authenticate with the application in order to deliver the exploit.We already have valid credentials for this server from our previous scan so we will use them.The next image is showing how we have configured the exploit.

Exploit Settings

 

We will use the port 8180 instead of 80 because this is the port that the Apache Tomcat is running.Also as you can see it is important to set any valid credentials that you have discovered.

Exploitation of Apache Tomcat

 

As you can the exploit is uploading the payload as a .war archive and then it tries to execute the .jsp application using a PUT request.The exploit work and now we have a shell on the remote target.As an alternative option for the payload we could have used a meterpreter payload in order to execute more commands on the target instead of a simple shell.

Meterpreter Session through Apache Tomcat

 

Alternatively if we just want to get access to the web server we could use the valid credentials that we already know in order to login from the admin panel to Apache through our browser.The next two images are showing that:

Tomcat Login Screen

 

Apache Tomcat with login with valid account

 

Conclusion

In this article we demonstrate of how to use some specific metasploit modules of Apache Tomcat web server in order to gain a shell to the remote system.Of course the key factor here was that we have discovered a valid account.In real penetration testings it would much more difficult to identify such weak credentials as here.However the methodology is the same and with a good wordlist you can have the job done.

6 Comments

  1. Where did you get that error?As you can see from the example images it is working.Alternatively you can use the meterpreter.I am running Apache Tomcat on an Ubuntu Server.If you use windows of course you have to select a different payload.

  2. using the tomcat_mgr_deploy and exploiting the server
    I get the following error

    [-]Failed: Error requesting /manager/serverinfo
    [-] Exploit exception: Unable to automatically select a target
    [*] Exploit completed, but no session was created.

  3. In tomcat_mgr_login I get the following:

    [-] x.x.x.x:x TOMCAT_MGR – /manager/html – No response
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    I guess that means that the server isn’t using the default location for the URI, but is there away to figure out what it is?

  4. @dh

    The problem is that the path /manager/serverinfo is not exist.You need to configure the path on the metasploit module properly by discovering first the correct path of the manager if it exists on the server.Also have in mind that many administrators disable these Tomcat modules or they change the name of the directories.

    @SpyMachine

    Yes you are right!The server is not using the default URI.You need first to discover it.Try the program dirbuster in order to identify all the paths of the server and maybe the potential location of the administration panel.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s