Sunday, 15 January 2012

Information Gathering of Apache on Metasploitable

After bruteforcing Postgresql and MySQL, it's now time to prepare an attack to the Apache Webserver. I will try to get as much information about the webserver as possible to prepare an attack. The IP of my Metasploitable VM is

First we're starting the burp interception proxy. You can find burpsuite in the Backtrack Applications directory:

The version of burp used within BackTrack is of course only the "Free Edition" and not the "Professional Edition". Here you can get a comparison of both versions. In the future I will use the ZAP proxy provided by OWASP, but for this phase the capabilities of the burp "Free Edition" is sufficient.

To use burp as an interception proxy you just need to configure your browser to use the burpsuite as a proxy server.

When you're browsing now to the IP of Metasploitable, you will see the HTML request under the proxy Tab "intercept" in burp. This HTML requests can now be modified, forwarded or dropped.

As we already know from our successful MySQL Brute Force attack, there should be a tikiwiki installation available. And we already know the login credentials (admin:admin). So let's just give it a try:

And there is an installation of tikiwiki available :-) Now you just need to login via the  login form in the tikiwiki with the credentials admin:admin. After the successfull authentication we have to change the password, and we are already admin in the tikiwiki:

It is version 1.9.5 of TikiWiki

Now we should spider the directory of tikiwiki, to see what files and directories are available. This can be done when clicking on the "target" tab in burp. There you will see all the files and directories you just have been browsed manually. By clicking the right mouse button, a context menu will appear:

When you click on "spider this branch" burp will run through all links he can find in this branch and will create an index with all available directories and files he is finding. Through this commando you can get an overview of the web application and know what frameworks and programm languages and so an are used.

Another good method to get information about the installed webserver and modules or programming languages that are used, is to force an error. By just requesting a website that is not available, the default error pages are generating very informative error messages:

Know we know that Apache version 2.2.8 with PHP version 5.2.4 is used and that the OS is very likely an Ubuntu installation.

Nmap did also find another webserver on Port 8180:

A default installation of Tomcat version 5.5 is also available by Metasploitable. I can login via tomcat default credentials (tomcat:tomcat) to Status,  Tomcat Administration and Tomcat Manager.

So let's just sum up what we have found till now:

Apache Tomcat5.5

With this information, we should be able to find some vulnerabilities for this pretty old software in known ressources and of course some public available exploits :-)

No comments:

Post a Comment