Tomcat
It usually runs on port 8080
Avoid to run with root
In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the path requested matches a regexp, the request is send to the Tomcat running in other port.
Username Enum
In some versions prior to Tomcat6 you could enumerate users:
Default credentials
The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic TTP auth, the most common credentials are:
admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
You could test these and more using:
Bruteforce
This could be needed.
Vulns
Double URL encode
A well-known vulnerability to access the application manager __ is mod_jk in CVE-2007-1860, that allows Double URL encode path traversal.
In order to access to the management web of the Tomcat go to: pathTomcat/%252E%252E/manager/html
Take into account that to upload the webshell you could need to use the double urlencode trick and send also a cookie and/or a SSRF token. To access to backdoor you could also need to use the double urlencode trick.
/examples
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from here).
/examples/jsp/num/numguess.jsp
/examples/jsp/dates/date.jsp
/examples/jsp/snp/snoop.jsp
/examples/jsp/error/error.html
/examples/jsp/sessions/carts.html
/examples/jsp/checkbox/check.html
/examples/jsp/colors/colors.html
/examples/jsp/cal/login.html
/examples/jsp/include/include.jsp
/examples/jsp/forward/forward.jsp
/examples/jsp/plugin/plugin.jsp
/examples/jsp/jsptoserv/jsptoservlet.jsp
/examples/jsp/simpletag/foo.jsp
/examples/jsp/mail/sendmail.jsp
/examples/servlet/HelloWorldExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestParamExample
/examples/servlet/CookieExample
/examples/servlet/JndiServlet
/examples/servlet/SessionExample
/tomcat-docs/appdev/sample/web/hello.jsp
RCE
Finally, if you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).
Limitations
You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script). Those details can be find under tomcat-users.xml usually defined in /usr/share/tomcat9/etc/tomcat-users.xml
(it vary between versions) (see POST section).
Metasploit
MSFVenom Reverse Shell
Then, upload the revshell.war file and access to it (/revshell/)
Bind and reverse shell with tomcatWarDeployer.py
In some scenarios this doesn't work (for example old versions of sun)
Download
Reverse shell
Bind shell
Using Culsterd
Manual method - Web shell
Create index.jsp with this content:
You could also install this (allows upload, download and command execution): http://vonloesch.de/filebrowser.html
POST
Name of tomcat credentials file is tomcat-users.xml
Other ways to gather tomcat credentials:
Last updated