Hello guys,
Here's my second Metasploitable-Attacking video. Today we will exploit Apache Tomcat in Metasploitable use Metasploit of course.
Attack description:
Here's my second Metasploitable-Attacking video. Today we will exploit Apache Tomcat in Metasploitable use Metasploit of course.
Attack description:
- We did a full nmap port scan, and I detected tomcat installed in the server on port 8180
- Search for tomcat in Metasploit console "msfconsole" command to find any kind of auxiliary, and or an exploit available for it
- We found a good exploit which allows command execution, but it needed the USERNAME and PASSWORD of the target server
- I executed an auxiliary that tried the default tomcat Login details on the target server (This is good when the server admin uses bad passwords)
- We found the login details, That made the code execution exploit possible to use now
- We execute the code execution exploit, and we get shell access (You can change the payload, but you don't really need to)
- After we get the shell access, as we search in /root directory, we find /root/.ssh/authorized_keys
- As I saw in a post by g0tmi1k about the same attack, those keys have weakness (READ MORE HERE)
- We download "rsa" weak keys to kind of crack the key, the file can be found on exploitdb search "/pentest/exploits/exploitdb/searchsploit" search for the term "OpenSSL"
- Download, and extract the file, using "grep -lr KEY *.pub" we will find the right one.
- Connect to the server using the key, (you will find a file in the previous step with NUMBER.pub take the number) then run the command:
ssh -i NUMBER root@IP
And you're done, root access granted ^_^
Video Demo:
Video Available in HD, just change the Quality!
