So after my last post about getting into Tomcat with Metasploit I decided that Metasploit was fun to mess with but if I actually want to learn then I needed to actually do what Metasploit was doing for me.
In order to do this I had two major goals. First, I needed to brute force Tomcat’s login page. I decided to write this in python and to make it reusable. The second goal was going to be getting a reverse shell. This is going to wait for tomorrow though.
(If you want to follow along you can download the tool here)
- Open a file with Python
- Iterate over the files and print them to the screen
- Make a request to the server with all of the creds we are iterating over
This sounded simple enough. For an experienced programmer like myself I should blow through this… right? WRONG…
Okay, well it wasn’t SUPER hard since I have experience coding but I did hit some problems along the way so buckle up.
Opening a file in Python and Iterating over it
This is actually super easy. I was surprised considering how much of a pain in the ass it is for every other language. Add in some for loops and you have yourself some user name and password iteration magic.
Open a connection to Tomcat
This is where things get a little hairy. You would think you could just call the action value in the forum tag on the login page with the creds…. Neh… I spent a couple hours on this figuring out why my requests weren’t going through. It turns out that when you load the login page you’re passed a token. This token needs to be parsed and passed along in the login request. Otherwise the server freaks out and says that you’re attempting to reference it directly.
Here is the request to the login page
The first URL is the request to the login credentials check. You can ignore that for the moment. The second URL, the one to /admin/index.jsp, is the request to the login page where we will find our token.
Grabbing the token
Once we have the response from the login window request we can simply reach in and get the ‘Set-Cookie’ token out. As you will notice I am also parsing some data out of it. They tack on some extra crap. If you include this in your request header you’re going to have a bad time. Just remove it and you’re good to go.
Make the login request
Now that we have our token we can send off our login attempt. It’s important to remember to refresh the token every request. I noticed that it would start refusing it after a few attempts. It’s late and I don’t want to figure out how many chances I get to use the token so I just renewed it every time. It’s a ton extra and if I were using this in a production environment I would probably spend a little more time on this.
Just create a dictionary of headers. I called mine kwargs because this is what it’s referred to as in the Python Request library documentation. I add in my ‘Cookie’ token combo and I also add in a flag that allows the browser to redirect. When I looked at this request in burp there were a few redirects before I actually got to the login page
Something else worth noting is how I am passing in the creds. I didn’t want to have to calculate the content-length field in the headers so instead of doing all of that I just used the built in data function in pythons Request library. I also tried building all of this with just straight sockets and setting all of the headers by hand but it was a huge pain in the ass so I decided to go this route instead.
Parsing the results
The last step is to figure out if we had a successful connection or not. At this point my brain is fried and I just want to get some results. So I decided to check the response content for the string “Invalid username or password”. Funny enough this worked like a charm.
When you run the script (in Kali) it will use the metasploit wordlists for tomcat and run over them until it finds a hit. If it finds a hit then it echos it out to you and asks if you want to continue;
I am super proud at the moment and super tired as well. Tomorrow I am going to implement part two of this exploit which is getting a shell into the system now that I have creds. I don’t know how metasploit did it yet. I know it has something to do with the upload manager. Regardless tomorrow it’s going down 🙂