Metasploitable Guide Part 3 : Exploiting Tomcat, MySQL and TikiWiki

Posted: November 23, 2011 in Guides
Tags: , , , , , ,

In the last part of the Metasploitable guide we obtained the usernames and passwords of all users with a shell as well as a few others. At this point you should have four shells on your Metasploitable VM – One from the usermap Samba vulnerability and 3 SSH sessions from stolen credentials.

In this part of the guide we’re exploit Tomcat, and TikiWiki with weak MySQL credentials to get two more shells.

Exploiting Tomcat

If you recall from our initial nmap scan we could see that TCP port 8180 has Apache Tomcat 5.5 running on it.

We can also infer from the prior use of credentials on this sytem that the credentials for Tomcat might also be weak. So we’re going to attempt to brute force the Tomcat Credentials

We’ll find that our username is tomcat with password tomcat. We can then simply use the Tomcat Application Deployment exploit to upload a malicious application (in this case meterpreter) and gain another shell.

MySQL Credentials

So now we’ve established the pattern that this system is riddled with weak credentials. So we’ll go ahead and load up the MySQL login scanner utility in Metasploit and have it check for weak credentials.

This will yield the MySQL dbms username of root with password root (shocking right?).

Exploiting TikiWiki

If you did any poking around earlier on your newly acquired SSH sessions you might have discovered that this system is running a vulnerable version of TikiWiki (version 1.9.5). If you research this you will discover that is indeed vulnerable. We will also discover after doing some research that we can use the Tiki Wiki Graph Formula Execution exploit to gain another shell.

After it’s all said and done you should be left with 7 total sessions, credentials for the MySQL database as well as most of the users on the system.

Profiling Additional Services

At this time it would be a good idea to take an inventory of what we have left that we haven’t compromised. A good place to start with this is netstat as it will show us what internet facing services are available.

We see we have PostgreSQL, ProFTP, Telnet, Postfix and Apache.

Bonus Round

See if you can determine the other internet facing service that is vulnerable but wasn’t picked up in our initial nmap scan. Next time we will be exploiting that as well as harvesting credentials from our other database.

  1. Tushar Kumar says:

    Very good post DT.

  2. […] the last edition of this guide we bruteforced MySQL, exploited Apache Tomcat 5.5 and the TikiWiki 1.9.5 web […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s