Forum Discussion
Bronze IIIntroduction to Metasploit: Ep.9 – Demonstrate Your Skills
Please help me out here. I managed to brute for to Apache Tomcat Manager using: auxiliary/scanner/http/tomcat_mgr_login
QCC:Qlogic66
When i try to log in to site it is not working
http://10.10.10.10:9090/manager/html
I need to spawn a user level shell on the victim machine using this creds, not sure why they are not working. I need to use any of these exploits and they require a username and password :
1. exploit/multi/http/tomcat_mgr_deploy 2009-11-09
2. exploit/multi/http/tomcat_mgr_upload 2009-11-09
4 Replies
neeemuBronze III
I'd suggest double checking all the options for the exploits, little mistakes can often mess up exploits.
Be careful when copying passwords as they are case sensitive.
Do you have the correct rport set?
Try different targetURIs such as /managerFailing that, if you have the username & password you will likely be able to login to web app and upload a reverse shell then set up a listener in Metasploit using exploit/multi/handler to get a shell.
KingMashabaHi neeemu , Thanks for your response.
I tried a few things my side.
Before using the exploits, i tried checking if these creds work by firstly trying to log in to manager app on the Webui(http://<ip>:port/manager/html), it was not taking the creds.
I went to the website itself and clicked on manager, when i log in still not working. If the creds are not working on the website itself, they are not most likely not going to work with the exploits since they require same creds(username and password)
I further used scanner/http/dir_scanner to find interesting directories that i can use, managed to find this ones only
- neeemu
Be careful when copying passwords as they are case sensitive.
The password you shared is not exactly the same as shown in the image.
